diff options
| -rw-r--r-- | include/functions.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/include/functions.php b/include/functions.php index eaba61a05..bc66317bb 100644 --- a/include/functions.php +++ b/include/functions.php @@ -1820,8 +1820,11 @@ if ($mimetype == "application/octet-stream") $mimetype = "video/mp4"; + # block SVG because of possible embedded javascript (.....) + $mimetype_blacklist = [ "image/svg+xml" ]; + /* only serve video and images */ - if (!preg_match("/(image|video)\//", $mimetype)) { + if (!preg_match("/(image|video)\//", $mimetype) || in_array($mimetype, $mimetype_blacklist)) { http_response_code(400); header("Content-type: text/plain"); |