PHPJunkyard support forum

Currently (Hesk 2.8.4 - but is also in older versions) file extensions like .php are not allowed, because they are removed also after definition inside the file admin_settings_save.php

I know that such a file could be a security risk (.js also and this is allowed), but for a support site handling with scripts and files, php should be possible.

Checking for malicious code inside the php-files should be done at upload (client side, because staff should know what they are doing!) and refused if contain a security risk.

I am missing also a check for malicious code inside images - e.g. submit a file as doc, txt, etc. masked as .png or .jpg.

Correct, some extensions are removed because they represent files that can be executed on a typical PHP-configured server (.js are typically client-side unless you run something like NodeJS on the server). It's an extra step to help keep Hesk secure.

If you want to accept PHP files, the smart thing would be to ask your users to compress them before uploading (zip, gz, rar, 7z ...).

Yes, images, text files, ... can contain hidden code. However, a properly configured server should not execute them. Also, reliable scanning files at upload is way out of the scope of Hesk design. There are much better tools for that that run server-side. For example, I use ConfigServer eXploit Scanner which also takes care of banning such users with the help of ModSecurity hooks.

client side, because staff should know what they are doing

You'd be surprised