diff --git a/config/elfinder.php b/config/elfinder.php
index d6e50e0..544d728 100644
--- a/config/elfinder.php
+++ b/config/elfinder.php
@@ -90,4 +90,17 @@
'root_options' => [
],
+
+ /*
+ |--------------------------------------------------------------------------
+ | Encrypt MIME Types
+ |--------------------------------------------------------------------------
+ |
+ | When enabled, MIME types configured on browse/browse_multiple fields are
+ | encrypted before being passed to the frontend, preventing CASUAL URL
+ | tampering. Note that this is a UI-level convenience only — NOT A SECURITY MEASURE.
+ | Determined users can always bypass client-side restrictions.
+ |
+ */
+ 'encrypt_mimes' => true,
];
diff --git a/resources/views/fields/browse.blade.php b/resources/views/fields/browse.blade.php
index ef1c631..e5e93a3 100644
--- a/resources/views/fields/browse.blade.php
+++ b/resources/views/fields/browse.blade.php
@@ -1,7 +1,10 @@
{{-- browse server input --}}
@php
$field['attributes']['data-elfinder-trigger-url'] = $field['attributes']['data-elfinder-trigger-url'] ?? url(config('elfinder.route.prefix').'/popup/'.$field['name']);
-$field['attributes']['data-elfinder-trigger-url'] .= '?mimes='.urlencode(Crypt::encrypt($field['mime_types'] ?? ''));
+$mimeTypes = $field['mime_types'] ?? '';
+$field['attributes']['data-elfinder-trigger-url'] .= '?mimes='.urlencode(
+ config('elfinder.encrypt_mimes', true) ? Crypt::encrypt($mimeTypes) : json_encode($mimeTypes, JSON_UNESCAPED_SLASHES)
+);
@endphp
@include('crud::fields.inc.wrapper_start')
diff --git a/resources/views/fields/browse_multiple.blade.php b/resources/views/fields/browse_multiple.blade.php
index cc9e68c..dfbccf8 100644
--- a/resources/views/fields/browse_multiple.blade.php
+++ b/resources/views/fields/browse_multiple.blade.php
@@ -11,7 +11,10 @@
$field['wrapper']['data-init-function'] = $field['wrapper']['data-init-function'] ?? 'bpFieldInitBrowseMultipleElement';
$field['wrapper']['data-elfinder-trigger-url'] = $field['wrapper']['data-elfinder-trigger-url'] ?? url(config('elfinder.route.prefix').'/popup/'.$field['name'].'?multiple=1');
-$field['wrapper']['data-elfinder-trigger-url'] .= '&mimes='.urlencode(Crypt::encrypt($field['mime_types'] ?? ''));
+$mimeTypes = $field['mime_types'] ?? '';
+$field['wrapper']['data-elfinder-trigger-url'] .= '&mimes='.urlencode(
+ config('elfinder.encrypt_mimes', true) ? Crypt::encrypt($mimeTypes) : json_encode($mimeTypes, JSON_UNESCAPED_SLASHES)
+);
if ($multiple) {
$field['wrapper']['data-multiple'] = "true";
diff --git a/resources/views/standalonepopup.blade.php b/resources/views/standalonepopup.blade.php
index ec6a344..3513dfa 100644
--- a/resources/views/standalonepopup.blade.php
+++ b/resources/views/standalonepopup.blade.php
@@ -34,6 +34,7 @@
diff --git a/src/BackpackElfinderController.php b/src/BackpackElfinderController.php
index 2c2236d..334e616 100644
--- a/src/BackpackElfinderController.php
+++ b/src/BackpackElfinderController.php
@@ -12,16 +12,20 @@ public function showPopup($input_id)
{
$mimes = request('mimes');
- if (! isset($mimes)) {
- Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
- abort(403, 'Unauthorized action.');
- }
-
- try {
- $mimes = Crypt::decrypt(urldecode(request('mimes')));
- } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
- Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
- abort(403, 'Unauthorized action.');
+ if (config('elfinder.encrypt_mimes', true)) {
+ if (! isset($mimes)) {
+ Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
+ abort(403, 'Unauthorized action.');
+ }
+
+ try {
+ $mimes = Crypt::decrypt(urldecode($mimes));
+ } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
+ Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
+ abort(403, 'Unauthorized action.');
+ }
+ } else {
+ $mimes = $mimes ? json_decode(urldecode($mimes), true) : '';
}
if (! empty($mimes)) {