fix: prevent XSS for specific content types

46d5307d · Steven · c2528c57 · 46d5307d
Commit 46d5307d authored May 21, 2025 by Steven
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

resource_service.go server/router/api/v1/resource_service.go +6 -0

No files found.
--- a/server/router/api/v1/resource_service.go
+++ b/server/router/api/v1/resource_service.go
@@ -188,6 +188,12 @@ func (s *APIV1Service) GetResourceBinary(ctx context.Context, request *v1pb.GetR
 	if strings.HasPrefix(contentType, "text/") {
 		contentType += "; charset=utf-8"
 	}
+	// Prevent XSS attacks by serving potentially unsafe files with a content type that prevents script execution.
+	if strings.EqualFold(contentType, "image/svg+xml") ||
+		strings.EqualFold(contentType, "text/html") ||
+		strings.EqualFold(contentType, "application/xhtml+xml") {
+		contentType = "application/octet-stream"
+	}

 	return &httpbody.HttpBody{
 		ContentType: contentType,