fix: prevent XSS for specific content types

2025-11-08 08:21:49 +08:00 · 2025-05-22 00:05:33 +08:00 · 2025-05-22 00:05:33 +08:00 · 46d5307d7f
commit 46d5307d7f
parent c2528c57f0
1 changed files with 6 additions and 0 deletions
--- a/server/router/api/v1/resource_service.go
+++ b/server/router/api/v1/resource_service.go
@ -188,6 +188,12 @@ func (s *APIV1Service) GetResourceBinary(ctx context.Context, request *v1pb.GetR
 	if strings.HasPrefix(contentType, "text/") {
 		contentType += "; charset=utf-8"
 	}
+	// Prevent XSS attacks by serving potentially unsafe files with a content type that prevents script execution.
+	if strings.EqualFold(contentType, "image/svg+xml") ||
+		strings.EqualFold(contentType, "text/html") ||
+		strings.EqualFold(contentType, "application/xhtml+xml") {
+		contentType = "application/octet-stream"
+	}

 	return &httpbody.HttpBody{
 		ContentType: contentType,