I know that from security standpoint this is not safe. But I intend to use the javascript code for convenience. So just as a first pass. My goal is to avoid any false-positives i.e. it is fine if a malicious hacker manipulated the file to have the mime开发者_高级运维-types that I accept (because I will be doing a second pass on server side) but I I would want to prevent legal files being detected as problematic.
UPDATE
Prototype of a working solution http://jsfiddle.net/tankchintan/5EUjE/1/
It is OK so long as you are confirming the type on the server side.
Using it on the client will just be a convenience to the end user. How are you determining the mime type? If it is just on extension, then you may as well just check for a valid extension on the client side.
Update
It appears to be just mapping extensions to file types, as a png
renamed as mp3
is mpeg/audio
to the code.
So, ensure you validate the type on the server by checking the file's contents, not its extension.
精彩评论