“Possible IE XSS Attack found.” when Trying to Upload a File in the Media Manager

Note: The solution presented in this post requires, ahem, a slight modification in a core file. Proceed with caution, and keep in mind that any change you make may be no more when you update your Joomla website.

A couple of hours ago, a high level developer working for a major client of ours told us that she was getting the following error while trying to upload an HTML file in the Media Manager:

“Possible IE XSS Attack found.”

Without giving the issue much thought, we told her to do the following:

  • Login to the backend of the Joomla website.
  • Click on Content -> Media Manager.

  • Click on Options on the top right.

  • Next to Legal Extensions (File Types), add html as a legal type.

We thought that the problem lied in the fact that files with a .html extension are not allowed by default in Joomla, and that they must be explicitly allowed in the Media Manager‘s settings. While that was true, it didn’t solve the problem…

A few minutes later, she emailed us telling us that she already did that. So we investigated the problem much more thoroughly, and we discovered something new, something that we didn’t know of before: Joomla, for security reasons, doesn’t allow any file that contains HTML tags to be uploaded, and that is enforced in the file media.php, which is located under the libraries/cms/helper. If you read that file (start at line 190), you will know that Joomla scans the uploaded file for most known HTML tags and immediately returns the error if any tag is found. What makes this security rule even more aggressive is the fact that it doesn’t care about the file type: even if the file is called myimage.jpg it is checked for HTML tags. Hmmm…

Now, since the users using the backend were trustworthy, we were able to disable this security rule only for the backend. We did that the following way:

  • We opened (using FTP) the file media.php located under the libraries/cms/helper folder.
  • We searched for the following line:

    $xss_check = file_get_contents($file['tmp_name'], false, null, -1, 256);

    Just above it, we added the following line:

    $app = JFactory::getApplication();
    if ($app->isAdmin())
    	return true;

  • That’s it! Doing the above allowed the developer to upload files with HTML content to the website. The problem is solved!

But what’s with “IE XSS” error?

We know, the error doesn’t really make any sense when you take into consideration that the developer was not even using IE (and, of course, was not experimenting with XSS attacks against her employer’s website). We suspect that this security rule was added because of an exploit that is specific to Internet Explorer, hence the name (by the way, this security rule didn’t exist in versions of Joomla older than 3.2.0).

If you’re seeing the same problem while trying to upload an HTML file to your Joomla website using the Media Manager, then try the above solution, it should work. If you’re facing this problem in the frontend, then you will need to just add return true; (instead of the 3 lines above), but keep in mind that you may be opening your website to security exploits, and we don’t recommend it. If you’re in a dilemma as to whether you should implement this solution or not, and you need help, then please contact us. We are super experienced in Joomla, our work is super clean, our rates are super cheap, and we are always super ready!

2 Responses to ““Possible IE XSS Attack found.” when Trying to Upload a File in the Media Manager”
  1. Comment by Niklas — October 19, 2015 @ 5:19 am

    I had the same problem. I opened my file in paint and re-saved is as a PNG and the problem was solved. I exported my picture from Inkscape and I guess it corrupted filedata.

  2. Comment by Jim Dee — November 28, 2017 @ 8:31 pm

    I think J! has the same issue w/ SVG uploads, which would make sense, I suppose. :-)

Leave a comment