github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2024-11-07 20:31:06 -05:00
Code Issues Projects Releases Packages Wiki Activity

Send .svg files as text/plain to prevent executable JS if they are loaded as SVG in the browser

Browse source
This commit is contained in:
James Allen 2016-03-10 09:32:32 +00:00
parent 263ee43cb5
commit 320e225700
2 changed files with 5 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
services/clsi/app/coffee/ContentTypeMapper.coffee
View file

@ -6,7 +6,7 @@ Path = require 'path'
module.exports = ContentTypeMapper =
map: (path) ->
switch Path.extname(path)
when '.txt', '.html', '.js', '.css'
when '.txt', '.html', '.js', '.css', '.svg'
return 'text/plain'
when '.csv'
return 'text/csv'
@ -20,7 +20,5 @@ module.exports = ContentTypeMapper =
return 'image/tiff'
when '.gif'
return 'image/gif'
when '.svg'
return 'image/svg+xml'
else
return 'application/octet-stream'

4
services/clsi/test/unit/coffee/ContentTypeMapperTests.coffee
View file

@ -49,3 +49,7 @@ describe 'ContentTypeMapper', ->
it 'should map .jpeg to image/jpeg', ->
content_type = @ContentTypeMapper.map('example.jpeg')
content_type.should.equal 'image/jpeg'
it 'should map .svg to text/plain to protect against XSS (SVG can execute JS)', ->
content_type = @ContentTypeMapper.map('example.svg')
content_type.should.equal 'text/plain'