Loading
Secure Your Salesforce Org
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Prevent Upload of Attachment with High-Risk Type Files Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Secure Your Salesforce Org

            Prevent Upload of Attachment with High-Risk Type Files Control

            Blocks upload of executable and high-risk file types (HTML, HTM, JS, EXE, and so on) as Attachments, Documents, or ContentVersion records, preventing stored XSS and malware distribution through Salesforce files.

            Control Name

            File Upload and Download Security (Prevent upload of attachment with high-risk type files)

            Control Overview

            Blocks upload of executable and high-risk file types (HTML, HTM, JS, EXE, and so on) as Attachments, Documents, or ContentVersion records, preventing stored XSS and malware distribution through Salesforce files.

            Description

            Org-wide setting in Setup>Security>File Upload and Download Security filters file extensions at upload time. Supports HTML upload blocking specifically for Experience Cloud portals and classic file storage.

            Recommended Configuration

            Security>File Upload and Download Security>Don't Allow HTML Uploads as Attachments or Document Records set to enable.

            Security Impact

            Eliminates primary vector for client-side attacks (XSS via HTML attachments, JavaScript execution in Content distributions); protects both Salesforce users and external recipients from malicious files.

            Business Impact

            Maintains legitimate document workflows while blocking only dangerous types. No user training required. Supports compliance requirements for secure file sharing.

            Security Risk If Not Configured

            Unrestricted upload of high-risk file types (HTML/JS) as attachments or document records enables persistent XSS and malware persistence within Salesforce.

            Threat Scenarios

            Significant risk of malware and malicious executable uploads, creating endpoint compromise risk; attackers upload HTML/JS files disguised as documents that execute when previewed/downloaded, compromising user browsers/sessions.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            External/Community users amplify the risk; legitimate HTML use cases (invoices, reports) require ContentVersion or alternative storage; antivirus scanning recommended as defense-in-depth.

            Higher Risk When

            Experience Cloud and Community portals enabled, external file sharing active, custom file upload components, or high executive/customer file upload volume.

            Low Risk When

            Internal users only, strict Content security policies, Files disabled, or comprehensive antivirus/EDR deployed on endpoints.

            Business and Integration Considerations

            Test legitimate file types post-configuration; combine with CSP headers and Lightning Locker for comprehensive client-side protection.

            Security Health Review Guidance

            Strongly recommended.

            Who Is Impacted

            All users with file upload permissions, Experience Cloud portal users, security teams monitoring upload patterns, compliance officers verifying secure file handling.

            See Also

             
            Loading
            Salesforce Help | Article