File Upload and Download Security Settings

Last Updated on March 5, 2014 by

File Upload and Download Setting

Salesforce allows us to upload various types of Documents. You can upload these documents  as an Attachment or in the Document’s section. Salesforce offers File storage for each edition. It includes files in attachments,  Document’s tab, File’s tab, File field, Salesforce CRM Content, Chatter (including user photos), and Site.com assets. For security reasons, you may configure the way some file types (like HTML) are handled during upload and download for your organization.

HTML Documents and Attachments Settings

Before Sprig’14 release Salesforce provides one feature to handle HTML document, called as “HTML Documents and Attachments Settings“.  After enabling this feature, it doesn’t allow users to upload HTML files to the Document object or as an attachment. If you enable this feature users cannot upload following file extensions as a Document or an attachment; htm, html, htt, mhtm, mhtml, shtm, shtml, svg.

To enable this feature you can follow the below instruction

1) Click on Name | Setup | Administration Setup | Security Controls | HTML Documents and Attachments Settings
2) Select “Disallow HTML documents and attachments”  check-box

Disallow HTML documents and attachments
Disallow HTML documents and attachments

3) Now, If some user will try to upload HTML file they will get an error, like below image

HTML file types are not permitted for security reasons
HTML file types are not permitted for security reasons

File Upload and Download Security

After Spring’14 old feature “HTML Documents and Attachments Settings” is going to be replaced by new feature “File Upload and Download Security“. This feature provides you a way to control file upload and download settings.  This feature is available in Developer, Performance, Enterprise, Professional, Contact Manager, Group , Unlimited editions except Database.com.  

Configure File Upload and Download Security for your organization

To Configure this feature for your organization follow the below instructions

1) Click on Name | Setup | Administration Setup | Security Controls | File Upload and Download Security
2) Click on Edit, as shown in below image

Enable File Upload and Download Security - Step 1
Enable File Upload and Download Security – Step 1

3) To prevent users from uploading files that may pose a security risk, select Don’t allow HTML uploads as attachment or document records

Enable File Upload and Download Security - Step 2
Enable File Upload and Download Security – Step 2

Note:-

  • This security setting, if enabled, blocks users from uploading files with these extensions: .html, .htt, .mht, .svg, and .thtml.
  • Do not enable this setting if your organization uses the partner portalto give your partner users access to
    Salesforce.
  • This setting does not affect attachments on email templates; HTML attachments on email templates are always permitted.
  • After this setting is enabled, previously-uploaded HTML documents and attachments are unaffected. However, when users attempt to view an HTML attachment or document, their browser first prompts them to open the file in the browser, save it to their computer, or cancel the action

4) Now you can set download behavior for each File Type

Enable File Upload and Download Security - Step 3
Enable File Upload and Download Security – Step 3
  • Downloaded  (recommended) :- The file is always downloaded.
  • Execute in browser:- The file is displayed and executed automatically when accessed in a browser or through an HTTP request.
  • Hybrid:- Attachments and document records execute in the browser. Salesforce CRM Content files and Chatter files  are downloaded.

5) Click on Save.

2 thoughts on “File Upload and Download Security Settings

  1. I got this site from my buddy who told me regarding this website and now this time I am browsing this web site and reading very informative articles or reviews at this time.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.