I have a form posting to Perch forms that includes a file upload input, allowing users of the website to upload photos. Filenames of uploaded files are not sanitised - punctuation symbols like brackets and ampersands are accepted and so are spaces in the filenames.
Is that working correctly? The only operation affecting filenames appears to be the addition of a timestamp if a file has the same name as an existing file in the same directory.
I'm curious because files uploaded using the Perch admin are subject to much more stringent sanitisation.
The template is in the templates/content directory (not templates/forms). Template code (abbreviated):
- <perch:form id="cbd_form" method="post" app="perch_forms" action="#success">
- <perch:label for="cb_image_import1">Photo 1 (.jpg or .png)</perch:label>
- <perch:error for="cb_image_import1" type="filetype"> <div class="error">The file must be an image eg .jpg, .png.</div></perch:error>
- <perch:error for="cb_image_import1" type="fileupload"> <div class="error">Sorry but we couldn't upload that file - the file may be too large. Please email the images to us separately, clearly identifying which building they relate to.</div></perch:error>
- <perch:input id="cb_image_import1" type="image" label="Photo 1">
Perch Runway: 3.1.5, PHP: 7.3.11, MySQL: mysqlnd 5.0.12-dev - 20150407 - $Id: 7cc7cc96e675f6d72e5cf0f267f48e167c2abb23 $, with PDO
Server OS: WINNT, apache2handler
Installed apps: content (3.1.5), assets (3.1.5), categories (3.1.5), perch_forms (1.12)
App runtimes: <?php $apps_list = [ 'perch_forms', ]; ?>
Image manipulation: GD
PHP limits: Max upload 256M, Max POST 256M, Memory: 256M, Total max file upload: 256M
Resource folder writeable: Yes