From 89acd36dde573905cc087018ff3fbaa539e5b76e Mon Sep 17 00:00:00 2001 From: James Allen Date: Thu, 10 Mar 2016 09:32:32 +0000 Subject: [PATCH] Send .svg files as text/plain to prevent executable JS if they are loaded as SVG in the browser --- app/coffee/ContentTypeMapper.coffee | 4 +--- test/unit/coffee/ContentTypeMapperTests.coffee | 4 ++++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/app/coffee/ContentTypeMapper.coffee b/app/coffee/ContentTypeMapper.coffee index 4f0eb2d..68b2d14 100644 --- a/app/coffee/ContentTypeMapper.coffee +++ b/app/coffee/ContentTypeMapper.coffee @@ -6,7 +6,7 @@ Path = require 'path' module.exports = ContentTypeMapper = map: (path) -> switch Path.extname(path) - when '.txt', '.html', '.js', '.css' + when '.txt', '.html', '.js', '.css', '.svg' return 'text/plain' when '.csv' return 'text/csv' @@ -20,7 +20,5 @@ module.exports = ContentTypeMapper = return 'image/tiff' when '.gif' return 'image/gif' - when '.svg' - return 'image/svg+xml' else return 'application/octet-stream' diff --git a/test/unit/coffee/ContentTypeMapperTests.coffee b/test/unit/coffee/ContentTypeMapperTests.coffee index d201b86..2439120 100644 --- a/test/unit/coffee/ContentTypeMapperTests.coffee +++ b/test/unit/coffee/ContentTypeMapperTests.coffee @@ -49,3 +49,7 @@ describe 'ContentTypeMapper', -> it 'should map .jpeg to image/jpeg', -> content_type = @ContentTypeMapper.map('example.jpeg') content_type.should.equal 'image/jpeg' + + it 'should map .svg to text/plain to protect against XSS (SVG can execute JS)', -> + content_type = @ContentTypeMapper.map('example.svg') + content_type.should.equal 'text/plain'