Answers ( 1 )

  1. 2016-12-31 23:12

    Windows (but not necessarily NTFS) prohibits the following characters in filenames: \/:*?"<>|, which precludes the characters necessary for most XSS attacks (<>"). Windows also disallows reserved DOS device file-names like COM, NUL, etc (though it is possible to create a file with that name, it cannot be done using the normal Win32 filesystem API).

    Linux (and UNIX and POSIX in general) is more permissive: every character is allowed in a filename except for / (the directory separator character) and \0 (NULL, a raw zero).

    I imagine an insecure web-application that saves uploaded files with their filenames intact and without having sanitized filenames probably will succumb to an XSS attack - unless they're also careful to never render HTML raw.

◀ Go back