+1 vote

Hello all,

Is there a way to create a guest form with upload document functionality?
But without using the .Net assembly (FileUpload.aspx).

Thanks,

Henry

asked in Guest by (325 points)

1 Answer

+2 votes
Best answer

Hi Henry

Since 11.2, you can make a ServerJS node script that allows you to read the binary stream of the uploaded file. I quickly made a show case of how you can work both client side and server side.

Note that it's tested with only one file upload in a form post. Tested only with Chrome etc. It's a prototype that needs further improvements, but at least it's a POC that proves we can do it without dotnet

WARNING: Enabling file upload without authentication is a security consideration. The request can be used to SPAM the database with a large amount of files. Malicious files and scripts can be uploaded without any problem. We do recommend to dump each file to disk to have it scanned before exposing it to internal users or at least whitelist only safe extensions. The best design is to limit file upload to the extranet only.

Guest page:
https://mydomain/crm/guest?app=website

<!DOCTYPE>
<html>
<head></head>
<body>
<form method="post" enctype="multipart/form-data" 
  action="node/upload/file">
  <input type="file" name="File1" id="File1" /></br>
  <input type="submit" name="Submit" value="Submit files(s)" />
</form>
</body>
</html>

customs\{customer}\efficy\serverjs\api\node\upload\file.js

function main() {      
  try {        
    var rawContent = Request.rawContent(),
        contentParts = rawContent.split("\n\r\n"),
        headers = contentParts[0],
        byteStream = contentParts[1],
        filename = "",
        matches = headers.match(/filename[^;=\n]*=(?:(\\?['"])(.*?)\1|(?:[^\s]+'.*?')?([^;\n]*))/);

    if (matches.length > 2) {
      filename = matches[2];   
    }

    if (filename && byteStream) {      
      strSaveBinaryFile("c:\\temp\\" + filename, byteStream, false);
    }

    Response.setStatusCode(200); // HTTP_OK
  } catch (e) {
    Response.setStatusCode(400); // HTTP_BADREQUEST
Response.setContent(e.message);
  }
}

Guest page
Folder on server

answered by (7.4k points)
edited by
Hello Kristof,

Technically, it's nice POC.

regarding the security part, in 2019, more than never, allowing anonymous user to upload unknow files from unknown sources is / may be a risk.

For me, the most secure way to allow external user to upload file in Efficy is using the Extranet.

Alex.
1,248 questions
1,518 answers
1,858 comments
328 users