Skip to content

C
canifa_note
Commit 46d5307d authored by Steven's avatar Steven
Browse files
Options

fix: prevent XSS for specific content types

parent c2528c57
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 0 deletions
server/router/api/v1/resource_service.go
View file @ 46d5307d
...@@ -188,6 +188,12 @@ func (s *APIV1Service) GetResourceBinary(ctx context.Context, request *v1pb.GetR ...@@ -188,6 +188,12 @@ func (s *APIV1Service) GetResourceBinary(ctx context.Context, request *v1pb.GetR
if strings.HasPrefix(contentType, "text/") { if strings.HasPrefix(contentType, "text/") {
contentType += "; charset=utf-8" contentType += "; charset=utf-8"
} }
// Prevent XSS attacks by serving potentially unsafe files with a content type that prevents script execution.
if strings.EqualFold(contentType, "image/svg+xml") ||
strings.EqualFold(contentType, "text/html") ||
strings.EqualFold(contentType, "application/xhtml+xml") {
contentType = "application/octet-stream"
}
return &httpbody.HttpBody{ return &httpbody.HttpBody{
ContentType: contentType, ContentType: contentType,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment