Craftadoc/clsi
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Send .svg files as text/plain to prevent executable JS if they are loaded as SVG in the browser

Browse Source
This commit is contained in:
James Allen
2016-03-10 09:32:32 +00:00
parent a3383f11a1
commit 89acd36dde
2 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/coffee/ContentTypeMapper.coffee
View File

@@ -6,7 +6,7 @@ Path = require 'path'
module.exports = ContentTypeMapper = module.exports = ContentTypeMapper =
map: (path) -> map: (path) ->
switch Path.extname(path) switch Path.extname(path)
when '.txt', '.html', '.js', '.css' when '.txt', '.html', '.js', '.css', '.svg'
return 'text/plain' return 'text/plain'
when '.csv' when '.csv'
return 'text/csv' return 'text/csv'
@@ -20,7 +20,5 @@ module.exports = ContentTypeMapper =
return 'image/tiff' return 'image/tiff'
when '.gif' when '.gif'
return 'image/gif' return 'image/gif'
when '.svg'
return 'image/svg+xml'
else else
return 'application/octet-stream' return 'application/octet-stream'

4
test/unit/coffee/ContentTypeMapperTests.coffee
View File

@@ -49,3 +49,7 @@ describe 'ContentTypeMapper', ->
it 'should map .jpeg to image/jpeg', -> it 'should map .jpeg to image/jpeg', ->
content_type = @ContentTypeMapper.map('example.jpeg') content_type = @ContentTypeMapper.map('example.jpeg')
content_type.should.equal 'image/jpeg' content_type.should.equal 'image/jpeg'
it 'should map .svg to text/plain to protect against XSS (SVG can execute JS)', ->
content_type = @ContentTypeMapper.map('example.svg')
content_type.should.equal 'text/plain'