Use the file upload field to let respondents upload files with their form submissions.
Because file uploads affect your storage limit, you might want to use the field settings to change the maximum number, size, and type of files you accept in this field.
To prevent malicious damage to your system, we don't accept the upload of some types of files, and scan every uploaded file for viruses.
File upload settings and limits
Select the gear icon in a file upload field to access its settings.
The settings available for file upload fields are:
| Required field? |
Is the field required to submit the form? |
| Description |
A description of the field. |
|
Number of files that can be uploaded
|
By default, this is set to 20.
The maximum value is 100. If you delete the default limit of 20, the maximum value will apply to that field.
|
|
Maximum file size
|
This is the maximum file size a respondent can upload per file to this file upload field.
The default limit is 50MB, and the maximum value is 1GB. We recommend leaving this value at 50MB.
If you've set up notification or reminder emails with file uploads attached, files with a combined size in excess of 10 MB can't be attached. You can, however, use answer piping to include file links in emails to receive large files.
By default, users must be logged into OpenForms to access emailed file links. To override this see Let external reviewers access file uploads.
|
|
Accepted file types
|
Use this field to limit the file types that users can upload (to pdfs or word documents for example), by entering the file extensions you will accept.
If you don’t enter a file type here, users can upload any file type, except for restricted file types.
We recommend you limit file uploads to only the types relevant to your form, and let users know in the file upload field description.
|
Restricted file types
OpenForms doesn't accept the following file types to prevent potential malicious uploads.
| action |
html |
msh |
scf |
| ade |
inf |
msh1 |
scr |
| adp |
ins |
msh1xml |
sct |
| app |
isp |
msh2 |
shb |
| ashx |
its |
msh2xml |
shs |
| asmx |
jhtml |
mshxml |
shtml |
| asp |
js |
msi |
swf |
| aspx |
jse |
msp |
sys |
| asx |
jsp |
mst |
tmp |
| axd |
jspx |
ops |
url |
| bas |
ksh |
pcd |
vb |
| bat |
lib |
php |
vbe |
| cer |
lnk |
php3 |
vbs |
| cfm |
mad |
php4 |
vps |
| cgi |
maf |
phtml |
vsmacros |
| chm |
mag |
pif |
vss |
| cmd |
mam |
pl |
vst |
| com |
maq |
plg |
vsw |
| cpl |
mar |
prf |
vxd |
| crt |
mas |
prg |
ws |
| csh |
mat |
ps1 |
wsc |
| css |
mau |
ps1xml |
wsf |
| der |
mav |
ps2 |
wsh |
| dll |
maw |
ps2xml |
wss |
| do |
mda |
psc1 |
xhtml |
| exe |
mdb |
psc2 |
xml |
| fxp |
mde |
py |
xnk |
| gadget |
mdt |
rb |
yaws |
| hlp |
mdw |
reg |
|
| hta |
mdz |
rhtml |
|
| htm |
msc |
rss |
|
How OpenForms deals with viruses in uploaded files
OpenForms scans all files uploaded by form respondents, and all custom document templates uploaded by Enterprise users, for viruses. If a threat is detected, the file is deleted.
As of our August 2019 release, this process is more transparent. If you’ve chosen to be notified of form responses, we'll let you know if an infection has been found (we'll still delete the file). Use this information to contact form respondents and let them know their submission is incomplete.
Files uploaded by respondents are placed in a scanning queue. It's worth noting that it may take some time for each file to be scanned during high-demand periods. Files that are queued but not yet scanned are marked as such in the Response screen.
Template files uploaded by form authors when creating custom documents are scanned immediately.
Submission notifications are sent as soon as we receive submissions, so they can contain unscanned attachments if those files are in a queue. It's safest to leave email attachments closed. Only open submitted files that have been downloaded from the OpenForms interface.
You can view the results of virus scans in the Response screen.
As of version 4, the OpenForms API appends scan information to some items.
View scan status in the form response screen
Go to Forms > your form > Responses > View in browser.
Uploaded files will show one of the following statuses:
|
Scanned, file safe
|
This file passed our virus scan.
Note that no virus scanner is 100% effective, and though rare, some viruses may still get through.
|
|
Threat found, file deleted
|
Our virus scan found a threat in this file, so we’ve deleted it for your protection. Contact the form respondent if you still need the information contained in the file.
|
|
Awaiting scan
|
We’ll scan the file for viruses soon. We recommend you don’t download or open it before then.
|
|
Can’t be scanned
|
We couldn’t scan this file for viruses. Make sure your antivirus software is up to date before downloading or opening the file.
This typically occurs with password protected or very large files.
|
You can still download files that are awaiting scans or can’t be scanned. Only download these if your organization's antivirus software is up to date.
Files uploaded before our August 2019 release will appear as scanned, file safe. This reflects how our virus scanner worked previously - files were scanned as they were uploaded, and suspect files were blocked from submission.
How scan statuses are appended in the API
The following information is specifically for developers.
Whenever you make an API call using the GET command with any of the following endpoints:
The OpenForms API will append a virus scan status. This can be:
|
Clean
|
This file passed our virus scan.
Note that no virus scanner is 100% effective, and though rare, some viruses may still get through.
|
|
Infected
|
Our virus scan found a threat in this file, so we’ve deleted it for your protection. Contact the form respondent if you still need the information contained in the file.
|
|
Pending
|
We’ll scan the file for viruses soon. We recommend you don’t download or open it before then.
|
|
Failed
|
We couldn’t scan this file for viruses. Make sure your antivirus software is up to date before downloading or opening the file.
This typically occurs with password protected or very large files.
|
What Next?