Restrict downloadable MIME types

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • The glide.ui.attachment.download_mime_types property will force the specified list of dangerous file types to be downloaded to the client and not viewed inline in the browser.

    If the glide.ui.attachment.force_download_all_mime_types system property is set to true, then the glide.ui.attachment.download_mime_types property is overridden so that all MIME types will be downloaded rather than rendered by the browser. For example, downloading text/html forces an HTML file to be downloaded to the client as a file rather than viewed inline in the browser, preventing a XSS attack.

    Ensure that the property glide.ui.attachment.force_download_all_mime_types is set to true. If the property does not exist in the System Properties [sys_properties] table, the default value is false.

    Note:
    The security_admin role is required to edit the property.

    More information

    Attribute Description
    Configuration name glide.ui.attachment.download_mime_types
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value <none>
    Fallback value false
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 6.4
    • CVSS rating: Medium
    • Security risk details: XSS can lead to easily attained privilege escalation to higher roles such as admin where more lateral movement can be taken.
    Functional impact This remediation enforces performance of validation checks before performing an action when you click an attachment in a application. There is no potential impact, but the user experience is altered.
    Dependencies and prerequisites None