Is this safe?
 

I am running a community driven website where I need to be able to have users submit html files through a contact form with file upload which forwards the file and message to my email. Is this safe or does it pose some kind of security threat if there is a rogue user who decides to upload an html file with malicious code?

I have security apps on my computer I am more concerned if it can hurt my server in some way.

maybe some java shit can go true, not sure is that just html files or scripting language too.

I will block everything but *.html files but I guess that can be exploited anyway.

why do you need the submission of a complete html file? Easy to install exploits that way.

.htm and .html just incase

I guess I could just have them submit the code in a text field but we are dealing with complete newbies so I fear they will not know how to extract the code from the html file as stupid as it may sounds.

Easy for spammers.

Take care - if your server is configured in that way, <?php ?> tags will be parsed with HTML files (depends on how you use the files after upload). Strip all code, be it PHP, ASP, etc. And strip ALL javascript. ALL of it.

That should be safe - I would use one more precaution though: don't allow anything referencing outer domains (eg. hotlinking an image for example from domain2.com, where the HTML file is uploaded to domain1.com) - this is a prime candidate for cookie stuffing.

Just my :2 cents:

take care !!!

Awesome, thanks a lot.

no prob mate, hit me up if you've got some scripting security issues, I have a lot of experience with this

just one more thought - why don't you get your users to edit HTML online, with an editor? (FCKEditor for example, but there are a lot out there) It would be WAY more safe...