Browse Source

cached_url: block SVG images because of potential javascript inside

Andrew Dolgov 5 days ago
parent
commit
da5af2fae0
1 changed files with 4 additions and 1 deletions
  1. 4 1
      include/functions.php

+ 4 - 1
include/functions.php

@@ -1820,8 +1820,11 @@
 			if ($mimetype == "application/octet-stream")
 				$mimetype = "video/mp4";
 
+			# block SVG because of possible embedded javascript (.....)
+			$mimetype_blacklist = [ "image/svg+xml" ];
+
 			/* only serve video and images */
-			if (!preg_match("/(image|video)\//", $mimetype)) {
+			if (!preg_match("/(image|video)\//", $mimetype) || in_array($mimetype, $mimetype_blacklist)) {
 				http_response_code(400);
 				header("Content-type: text/plain");