Why does uploading an image to Content Store fail with XSS error due to suspicious content?

Uploading an image to the content store can fail, with a popup displaying “Cannot execute action because XSS scanner found suspicious content!” This is unexpected because an image shouldn’t contain any cross-site scripting elements.

Cause

This can occur when an image has been saved through an Adobe product such as Photoshop or Lightroom. The application adds metadata to the image, which is user (or application) defined information about the image but not part of the displayed image itself.

If this metadata contains URLs or unexpected binary data, the image upload will fail after being checked for suspicious content.

Solution

You’ll need to ensure either that you’re saving images without metadata or that the metadata does not contain URLs or JavaScript.

For this, you can:

• Check your tool for an option to export or save for the web, and ensure that you have selected any options to remove metadata from that exported image.

• Check your tool’s settings to not add metadata to your image.

• Open the image with an alternative image editor, such as Paint.NET on Windows or Krita on Mac. Then, save it with a new name. By default, this will strip most, if not all, metadata from the images, leaving only the image data itself.

• Use an external tool to clean your image files, such as ExifTools.

Once the metadata is removed, you may have a smaller, more optimized file. Engage will no longer detect suspicious content, allowing you to load the file into the Content Store.