Quickbase Discussions

 View Only

Change coming on 07/26/20: clicking on an HTML file attachment will download the file

By Brian Cafferelli posted 07-21-2020 13:16

  

Change coming on 07/26/20: clicking on an HTML file attachment will download the file

 

You rely on Quickbase to provide world-class security. One of the many ways we fulfill that promise is by continuously monitoring our systems for anything that may impact the security of your data. We recently discovered one such issue regarding HTML file attachments and will soon make changes to make it more secure. Read on to see if your apps will be impacted by the change.

Quickbase has a list of file types which can be viewed by most web browsers, such as png, jpeg, and html. For example, an html file can be attached to a field. If a user clicks on the link to the HTML file, the file will automatically open in the user’s web browser.

Directly opening an html file attachment like that is not a security best practice. To address this issue, users will no longer be able to click an html file attachment and have the file open immediately in their browser. As of July 26, 2020, clicking an html file attachment will trigger the file to download instead.

 

What if my app’s workflow relies on directly opening an html file attachment?

To follow security best practices, Quickbase apps will no longer open html file attachments in the web browser as of July 26, 2020. If you have been using this feature to automate workflow, we recommend you copy the contents of your html file attachment and paste it into a code page instead. You can then use a Formula – URL field to link to your code page.

 

High traffic use cases

As described in our Extending Quickbase guidelines article, file attachments are not designed to serve high-traffic or high concurrency use cases. An example of one of those use cases would be, storing a photo in a file attachment field, then linking to that file on an external website that receives a large amount of traffic. Those types of workloads are best served by an external CDN (Content Delivery Network).

 

Responsible disclosure

While we have many talented engineers continuously improving our platform’s security, we also look to our customers to raise any potential security issues you notice while using Quickbase. We manage a responsible disclosure program for you to report such concerns to us confidentially so we can handle it.

 

Further reading

 

Permalink