ACF allows the default upload blocklist this.blockedExtForFileUpload (see ) to be overridden per with an allowedExtensions option for
There is also a strict option which allows bypassing the blocklist
Adding the attribute “allowedExtension“ is a problem within a minor release because we have to change the order of attributes. ATM the order are like this:
FileUpload(destination, fileField, accept, nameConflict, strict, allowedExtensions)
FileUpload( destination, fileField, accept, nameConflict, mode, attributes, acl );
we need to add the attribute in Lucee after nameconflict what will cause issues for people using the attribute “mode” and “acl“ with unnamed arguments.
We can extend the argument mode in case it fails it could check if we have extension defined, but only as a undocumented feature.
I will add the attribute to the file tag, but for the function FileUpload we wait for the next major release.
I’m adding the attribue “allowedExtensions“ AND “blockedExtensions“ to the tag cffile.
added the function arguments to 188.8.131.52
please test in Lucee 5.3 the tag cffile with the attribute “allowedExtension“ and “blockedExtension“ then in Lucee 6 test also the functions [fileUpload, fileUploadAll] with this arguments.
I've checked cffile tag with lucee fixed version 184.108.40.206-SNAPSHOT.
Attribute allowedExtensions and blockedExtensions are works fine.
allowedExtensions is override the blockedExtensions and this.blockedExtForFileUpload. So, it works as expected.
If this.blockedExtForFileUpload = "html" and accept attribute with mimeType(text/html) is allowed the file to upload successfully.
Seems, the same scanerio throws an error in ACF. Because this.blockedExtForFileUpload doesn't works in this version.
And I've checked fileUpload & fileUploadAll functions with lucee version 220.127.116.11-SNAPSHOT.
The argument allowedExtensions works fine.
But blockedExtensions and this.blockedExtForFileUpload doesn't work as expected.
It doesn't block the fileupload for the declared extension.