Merge commit from fork

fix: prevent browsers from rendering unsafe attachments like HTML in a new tab
This commit is contained in:
El RIDO 2026-07-11 10:04:56 +02:00 committed by GitHub
commit e0dd4c025c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 32 additions and 2 deletions

View file

@ -2,6 +2,7 @@
## 2.0.5 (not yet released)
* CHANGED: Show OS-specific copy hotkey hint (Cmd+c on Mac, Ctrl+c on others) (#1506)
* FIXED: Prevent browsers from rendering unsafe attachments like HTML in a new tab
* FIXED: State corruption after "Remove attachment" (#1824)
* FIXED: Copy button is hidden if the document is made as markdown (#1703)
* FIXED: Shortened URLs from YOURLS received but failed to parse (#1844)

View file

@ -2997,11 +2997,18 @@ jQuery.PrivateBin = (function($) {
const mimeType = me.getAttachmentMimeType(attachmentData);
// We explicitly do _not_ use the original mime type for the download link
// to always force a download instead of potentially dangerous browser rendering/parsing/interpretation
let safeMimeType = 'application/octet-stream';
if (me.isSafeMimeType(mimeType)) {
safeMimeType = mimeType;
}
// extract data and convert to binary
const rawData = attachmentData.substring(base64Start);
const decodedData = rawData.length > 0 ? atob(rawData) : '';
let blobUrl = getBlobUrl(decodedData, mimeType);
let blobUrl = getBlobUrl(decodedData, safeMimeType);
attachmentLink.attr('href', blobUrl);
if (typeof fileName !== 'undefined') {
@ -3031,6 +3038,28 @@ jQuery.PrivateBin = (function($) {
me.handleBlobAttachmentPreview($attachmentPreview, blobUrl, mimeType);
};
/**
* Evaluates whether this is known a safe mime type.
*
* This means, the media can safely be displayed and e.g. no XSS should be possible.
*
* @name AttachmentViewer.isSafeMimeType
* @function
* @param {string}
* @returns {bool}
*/
me.isSafeMimeType = function(mimeType) {
return (
mimeType.startsWith('image/') &&
!mimeType.includes('svg')
) ||
mimeType.startsWith('video/') ||
mimeType.startsWith('audio/') ||
mimeType.endsWith('/pdf') ||
mimeType === 'text/plain';
}
/**
* displays the attachment
*

View file

@ -122,7 +122,7 @@ class Configuration
'js/kjua-0.10.0.js' => 'sha512-BYj4xggowR7QD150VLSTRlzH62YPfhpIM+b/1EUEr7RQpdWAGKulxWnOvjFx1FUlba4m6ihpNYuQab51H6XlYg==',
'js/legacy.js' => 'sha512-RQEo1hxpNc37i+jz/D9/JiAZhG8GFx3+SNxjYnI7jUgirDIqrCSj6QPAAZeaidditcWzsJ3jxfEj5lVm7ZwTRQ==',
'js/prettify.js' => 'sha512-puO0Ogy++IoA2Pb9IjSxV1n4+kQkKXYAEUtVzfZpQepyDPyXk8hokiYDS7ybMogYlyyEIwMLpZqVhCkARQWLMg==',
'js/privatebin.js' => 'sha512-zbka2ePFe4nT6QVb6tManMPWaZleeJk57R0eRgQTZNpRdu5LklTuSdHnIfFKtY7ZLbN2tER1vKYDx1eHwvnDfg==',
'js/privatebin.js' => 'sha512-jjr01MrlrFg2aOLcUf/BouIVTaYNDNIKvfz5pC4lya4rbUxLinRX/h64mt/KLJotk3XXsvS37z0cGLTbor43fQ==',
'js/purify-3.4.1.js' => 'sha512-280a/Vb6fVFsYaeRrkuDp4EDmdYlt2XS+dlDEO/U9qljPrAraA2bIzHTNmP+9dpwPDDwTML+RS+h5iaagPwTzA==',
'js/showdown-2.1.0.js' => 'sha512-WYXZgkTR0u/Y9SVIA4nTTOih0kXMEd8RRV6MLFdL6YU8ymhR528NLlYQt1nlJQbYz4EW+ZsS0fx1awhiQJme1Q==',
'js/zlib-1.3.2.js' => 'sha512-RAhJgxg9siMIA8ky4c10Rc2zUgnK80olHB8Tt1IOYWY4Eh1WmrviQkDn+sgBlb38ZHq3tzufGC41kP360gmosQ==',