[Multiple File Upload] Question about MultipleFileUpload
Forge component by Hugo Pinheiro
Application Type
Traditional Web

I want to implement the function to add mp3 file to Resources.However it seems like this Forge component (MultipleFileUpload) supports pptx,png,zip file.

Is there any way you can upload mp3 file?


I'm aiming to make a function to upload mp3 file in browser then play the mp3 file.

I'd appreciate it if you could give me some advice.

It'd be nice if you would see attached for your reference.


Best regards,

MultipleFileUploadForMp3.oml

mvp_badge
MVP

Hello Tsubasa.

You have two questions here.


1. How to upload mp3 instead of pptx,png,zip?

You go to the block and set Supported Extensions to "mp3" instead of "pptx,png,zip".

2. How to play an uploaded mp3 file?

By default you can only play file in resources, but you can always convert binary to base64 and play it directly.

<audio controls autoplay>
  <source src='data:audio/mp3;base64,<sourcefile>' type='audio/mpeg'>
Your browser does not support the audio element.
</audio>

To use the file just uploaded into database:

It will look like this:


And here is your example fixed.



MultipleFileUploadForMp3.oml

Hello Nuno Reis


Thank you so much for giving me great advice.

Thanks to it, I should be able to make what I want come true.


I'm curious about only one more thing.

I've got HTML injection as your insert image but  I wonder if it is what it is.

I added EncodeHtml() like this, and I opened in browser but that disabled audio play.

 


I think I'm missing how to write EncodeHtml but I'm not too sure where I mistook.

Does that look familiar to you?


Best,


mvp_badge
MVP


Hi again.

So OutSystems wants you to assume  every user is has evil intentions. The moment you allow someone to inject information on your HTML, the page in compromized. If I uploaded a file starting with '></audio> inside (and .mp3 extension) I was giving the page a bogus code that would blend in with the site.

That's why Studio warns you about protecting the code.

If you encodehtml() the entire expression, the HTML the programmer wrote is also considered dangerous and it is exposed as text.( like you are seeing). What you need to do is to check only the file content.

This way the HTML you - developer - want is used, but the HTML the user uploaded is checked.

The file plays and you get 0 warnings.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.