ve3
commented
3 years ago I cannot make sure that Cyrillic is web safe file name or is it safe on all OS.
So, only English, numbers, dash (-) are safe file name on all OS.
This class can detect the file's real mime type and return error if false file extension was detected.
CSRF should have its own class/functional because it is about request forgery (normal form, link with or without upload). You can use one from Slim ( https://github.com/slimphp/Slim-Csrf ). The upload class has nothing to do with CSRF protection, the developers must protect by themself.
XSS can be attack via file upload but since this class can detect the file's mime type and validate with file extensions (please look in validateExtensionAndMimeType() method), including it can be scan for embedded script like shell, cgi, php (please look in securityScan() method). I think it maybe secure enough for XSS or if there are something leakage, please tell me or send me an example file to check.
Is it possible somehow to add Cyrillic for safe file name. (а-я , А-Я) Also is it possible to add CSFR / xss protection.
Edit: I think i did it if anyone need it its here (setWebSafeFileName->line704: #[^\da-zа-я-_]#iu )