YourSelfHosted/memos
1
0
Fork 0
mirror of https://github.com/usememos/memos.git synced 2025-06-05 22:09:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: prevent XSS for specific content types

Browse Source
This commit is contained in:
Steven
2025-05-22 00:05:33 +08:00
parent c2528c57f0
commit 46d5307d7f
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
server/router/api/v1/resource_service.go
View File

@@ -188,6 +188,12 @@ func (s *APIV1Service) GetResourceBinary(ctx context.Context, request *v1pb.GetR
if strings.HasPrefix(contentType, "text/") { if strings.HasPrefix(contentType, "text/") {
contentType += "; charset=utf-8" contentType += "; charset=utf-8"
} }
// Prevent XSS attacks by serving potentially unsafe files with a content type that prevents script execution.
if strings.EqualFold(contentType, "image/svg+xml") ||
strings.EqualFold(contentType, "text/html") ||
strings.EqualFold(contentType, "application/xhtml+xml") {
contentType = "application/octet-stream"
}
return &httpbody.HttpBody{ return &httpbody.HttpBody{
ContentType: contentType, ContentType: contentType,