We noticed that JavaScript is disabled in your browser. We suggest enabling it for a better experience.
We noticed you're using an older version of Internet Explorer. We suggest you update to the latest version for a better experience.
Skip to main content

File uploads: settings, restrictions, and virus scans

Use the file upload field to let respondents upload files with their form submissions.

upload.png

Because file uploads affect your storage limit, you might want to use the field settings to change the maximum number, size, and type of files you accept in this field. 

To prevent malicious damage to your system, we don't accept the upload of some types of files, and scan every uploaded file for viruses.

File upload settings and limits

Select the gear icon in a file upload field to access its settings.

settings.png

The settings available for file upload fields are:

settings available.png
 Required field? Is the field required to submit the form?
 Description A description of the field.

Number of files that can be uploaded

By default, this is set to 20.

The maximum value is 100. If you delete the default limit of 20, the maximum value will apply to that field.

Maximum file size

This is the maximum file size a respondent can upload per file to this file upload field.

The default limit is 50MB, and the maximum value is 1GB. We recommend leaving this value at 50MB.

If you've set up notification or reminder emails with file uploads attached, files with a combined size in excess of 10 MB can't be attached. You can, however, use answer piping to include file links in emails to receive large files.  
By default, users must be logged into OpenForms to access emailed file links. To override this see Let external reviewers access file uploads.

Accepted file types

Use this field to limit the file types that users can upload (to pdfs or word documents for example), by entering the file extensions you will accept.

If you don’t enter a file type here, users can upload any file type, except for restricted file types.

We recommend you limit file uploads to only the types relevant to your form, and let users know in the file upload field description.

 Restricted file types

OpenForms doesn't accept the following file types to prevent potential malicious uploads.

action html msh scf
ade inf msh1 scr
adp ins msh1xml sct
app isp msh2 shb
ashx its msh2xml shs
asmx jhtml mshxml shtml
asp js msi swf
aspx jse msp sys
asx jsp mst tmp
axd jspx ops url
bas ksh pcd vb
bat lib php vbe
cer lnk php3 vbs
cfm mad php4 vps
cgi maf phtml vsmacros
chm mag pif vss
cmd mam pl vst
com maq plg vsw
cpl mar prf vxd
crt mas prg ws
csh mat ps1 wsc
css mau ps1xml wsf
der mav ps2 wsh
dll maw ps2xml wss
do mda psc1 xhtml
exe mdb psc2 xml
fxp mde py xnk
gadget mdt rb yaws
hlp mdw reg
hta mdz rhtml
htm msc rss

 

 How OpenForms deals with viruses in uploaded files

OpenForms scans all files uploaded by form respondents for viruses. If a threat is detected, the file is deleted.

As of our August 2019 release, this process is more transparent. If you’ve chosen to be notified of form responses, we'll let you know if an infection has been found (we'll still delete the file). Use this information to contact form respondents and let them know their submission is incomplete.  

Files uploaded by respondents are placed in a scanning queue. It's worth noting that it may take some time for each file to be scanned during high-demand periods. Files that are queued but not yet scanned are marked as such in the Response screen.

Submission notifications are sent as soon as we receive submissions, so they can contain unscanned attachments if those files are in a queue. It's safest to leave email attachments closed. Only open submitted files that have been downloaded from the OpenForms interface.

You can view the results of virus scans in the Response screen.

As of version 4, the OpenForms API appends scan information to some items.

View scan status in the form response screen

Go to Forms > your form > Responses > View in browser.

scanned safe.png

Uploaded files will show one of the following statuses:

Scanned, file safe

This file passed our virus scan.

Note that no virus scanner is 100% effective, and though rare, some viruses may still get through.

Threat found, file deleted

Our virus scan found a threat in this file, so we’ve deleted it for your protection. Contact the form respondent if you still need the information contained in the file.

Awaiting scan

We’ll scan the file for viruses soon. We recommend you don’t download or open it before then.

Can’t be scanned

We couldn’t scan this file for viruses. Make sure your antivirus software is up to date before downloading or opening the file.

This typically occurs with password protected or very large files.

You can still download files that are awaiting scans or can’t be scanned. Only download these if your organization's antivirus software is up to date. 

Files uploaded before our August 2019 release will appear as scanned, file safe. This reflects how our virus scanner worked previously - files were scanned as they were uploaded, and suspect files were blocked from submission.

How scan statuses are appended in the API

The following information is specifically for developers. 

Whenever you make an API call using the GET command with any of the following endpoints: 

  • /api/v4/files

  • /api/v4/files/{fileID}

  • /api/v4/files/{fileID}/download

  • /api/v4/responses

  • /api/v4/responses/{responseId}

The OpenForms API will append a virus scan status. This can be:

Clean

This file passed our virus scan.

Note that no virus scanner is 100% effective, and though rare, some viruses may still get through.

Infected

Our virus scan found a threat in this file, so we’ve deleted it for your protection. Contact the form respondent if you still need the information contained in the file.

Pending

We’ll scan the file for viruses soon. We recommend you don’t download or open it before then.

Failed

We couldn’t scan this file for viruses. Make sure your antivirus software is up to date before downloading or opening the file.

This typically occurs with password protected or very large files.

 

What Next?

 

 

Was this helpful?