Thank you Nilamber
You are a savour, and yes you perfectly correct about .js security.
We are fine with this though as the file is distributed by us just for this plugin which is private, but thank you for mentioning it.
I dont suppose you would know how to only allow a file upload if it matches an exact name?
for example: xmpcfg.js
if it is not xmpcfg.js then do not allow
Again thanks for all your help
regards
Matt
