Forbidden file extension at file upload


since the last kirby update i get in the panel while writing or editing a page the error message “forbidden file extension” (Or similar :wink: I get the message in german “Verbotene Dateiendung”) in the top-right corner when the user try to upload a file with the extention *.html or *.htm
I have set no permissions to limit the allowed file extentions.

I’m a bit surprised that this worked in the past, unless I’ve missed something:

For my (miss-) understanding: a HTML-file includes e.g. the “head”’ part of a webpage. Where do I need this inside a Kirby webpage?

On this page are two HTML Files:
These are leaderboards that are exported from a program and uploaded to our website.
Now this upload does not work anymore on the panel.

Import them online in another format, e.g. via API.

What version of Kirby did you use before the update? Trying to find out why it worked before when it actually shouldn’t have…

Why don’t you provide these files as Excel files or something like this?

Edit: I’d say you either have updated from a very old version of Kirby (Kirby 1?), or you or someone else changed the source code to allow html file upload. I tested with Kirby version 2.1.0 and it wasn’t possible to upload html files with that version, either.

1 Like

I have taken the support of the website just two week ago. My precursors last activity was the last kirby update. He could not tell me the last used version. But he remember that he modify a kirby core file to allow HTML uploads.

He made following changes in panel/app/src/panel/models/page/uploader.php

public function checkUpload($file) {

    $filesettings        = $this->blueprint->files();
    //$forbiddenExtensions = array('php', 'html', 'htm', 'exe', kirby()->option('content.file.extension', 'txt'));
    //$forbiddenMimes      = array_merge(f::$mimes['php'], array('text/html', 'application/x-msdownload'));
    $extension           = strtolower($file->extension());
    // Overwrite allow HTML upload ~EN
    $forbiddenExtensions = array('php', 'exe', kirby()->option('content.file.extension', 'txt'));
    $forbiddenMimes      = array_merge(f::$mimes['php']);


The update have only overwrite the changed file. After i make these changes again the HTML upload works.

But according to this page the HTML upload should be possible. That is a bit misleading.

Ok, so my guess was correct.

Yes, you are right, that page might be a bit misleading; but the thing is that you can in fact have .html files in your folders and read them in your templates, but you can’t upload them via the Panel. I don’t know if this issue will ever be solved in K 2, I rather doubt it given the fact that the issue has been open for so long.

I consider this solved for the moment, but better make a note of your changes in an “update to to list” in case you have to update again.

Or change the fileextension in front of the upload after you delete the „head“ part and so on…