Openmrs RA provides functionality for a user to add an attachment(document or file) to a patient as a Complex Obs. However, this functionality is vulnerable. An attacker can submit a malicious script. For example, a user can upload a .php file solong as its weight is below the maximum set size.
Actually, i even uploaded a .js file and the process executed successfully.
How can I restrict file upload basing their type using the client side. Or this will be better if it is implemented from the server side.