Salesforce allows us to upload various types of Documents. You can upload these documents as an Attachment or in the Document’s section. Salesforce offers File storage for each edition. It includes files in attachments, Document’s tab, File’s tab, File field, Salesforce CRM Content, Chatter (including user photos), and Site.com assets. For security reasons, you may configure the way some file types (like HTML) are handled during upload and download for your organization.
HTML Documents and Attachments Settings
Before Sprig’14 release Salesforce provides one feature to handle HTML document, called as “HTML Documents and Attachments Settings“. After enabling this feature, it doesn’t allow users to upload HTML files to the Document object or as an attachment. If you enable this feature users cannot upload following file extensions as a Document or an attachment; htm, html, htt, mhtm, mhtml, shtm, shtml, svg.
To enable this feature you can follow the below instruction
1) Click on Name | Setup | Administration Setup | Security Controls | HTML Documents and Attachments Settings
2) Select “Disallow HTML documents and attachments” check-box
3) Now, If some user will try to upload HTML file they will get an error, like below image
File Upload and Download Security
After Spring’14 old feature “HTML Documents and Attachments Settings” is going to be replaced by new feature “File Upload and Download Security“. This feature provides you a way to control file upload and download settings. This feature is available in Developer, Performance, Enterprise, Professional, Contact Manager, Group , Unlimited editions except Database.com.
Configure File Upload and Download Security for your organization
To Configure this feature for your organization follow the below instructions
1) Click on Name | Setup | Administration Setup | Security Controls | File Upload and Download Security
2) Click on Edit, as shown in below image
3) To prevent users from uploading files that may pose a security risk, select Don’t allow HTML uploads as attachment or document records
- This security setting, if enabled, blocks users from uploading files with these extensions: .html, .htt, .mht, .svg, and .thtml.
- Do not enable this setting if your organization uses the partner portalto give your partner users access to
- This setting does not affect attachments on email templates; HTML attachments on email templates are always permitted.
- After this setting is enabled, previously-uploaded HTML documents and attachments are unaffected. However, when users attempt to view an HTML attachment or document, their browser first prompts them to open the file in the browser, save it to their computer, or cancel the action
4) Now you can set download behavior for each File Type
- Downloaded (recommended) :- The file is always downloaded.
- Execute in browser:- The file is displayed and executed automatically when accessed in a browser or through an HTTP request.
- Hybrid:- Attachments and document records execute in the browser. Salesforce CRM Content files and Chatter files are downloaded.
5) Click on Save.