Why do you strip punctuation from filenames on upload?

Feature requests
#1

Why do you strip punctuation like question marks, exclamations, dashes, and commas from file names when instantiating design titles?

You let me add the punctuation back in after upload, so it can’t be because you don’t allow these in the title.

It’s a bit of a pain to keep having to add these back in. Here are examples of the titles that I’m having to fix:

  • Shiny!
  • Who Bugs Whom?
  • Bug-Nabbing Bandit
  • Teddy Bear (blue)
  • Teddy Bear (blue, no text)

Is there any chance that you can preserve these instead? Thanks!

(Just to head off one possible answer, you’re not stripping them because some are invalid in URLs. Your software properly encodes them in URLs when I add them back in.)

#2

What you are talking about are filenames - not titles. And a filename is validated/normalized in order to prevent attacks.

1 Like
#3

Hi Lena. Thanks for the response. We upload files having filenames. You use the filenames to as the default design titles. Except for having removed the punctuation.

I’m a computer programmer with expertise in computer security. It is not necessary for you strip the punctuation at any point for reasons of security.

The only thing you need to do is escape characters that might be used for injection attacks. If you store the filenames in a DB, you’re escaping SQL special characters. But we do this with all text sent to the server, not just filenames. We can type text with punctuation into any HTML form and have the server reliably store the text with punctuation. You surely do this with the titles that we type in after upload. Filenames are not special.

I’m doubtful your programmers thought they needed to do this for security. I’m guessing it’s something more like that they stripped the characters for purposes of generating a new filename for server-side storage and then used that stripped value as both the filename and the design title in the database. It might be a simple programming bug of using the wrong variable.

I’d like to make this a feature request. I upload multiple designs at once, all variations of each other. The titles are the same except for the addition of a color or the words “no text” at the end. As things stand, after upload I have to go through each design adding punctuation back in.

#4

@Thomas_Spreadshirt, can we also make this change a feature request? I suspect it’s just a programming bug anyway. I’d like the uploaded filenames to be the default design titles, without stripping punctuation. Thanks!