mirror of
https://github.com/PrivateBin/PrivateBin.git
synced 2026-07-17 16:39:40 +00:00
We do not want to santitize them with DOMPurify, as an attached file should be returned exactly as it has been attached by the creator. And sharing HTML files is IMHO a legitimate use case. However, opening these in a new tab can result in (JS) code execution. Yet again, opening a "bigger" preview for some file types like images or videos is also a valid use case, which also should not be broken. That's why this is not done in alll cases, but some mime type filtering still exists. I also looked into whether a blocklist (for HTML and SVG) would make sense, but really you cannot possibly define an exhausive list of "unsafe" mime types: https://security.stackexchange.com/a/167853/91425 That's why I use a quite strict allowlist approach here. I skimmed https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/MIME_types/Common_types for what could be common use cases/mime types, people _may_ actually want to get rendered and this is the result. Thus I am quite confident this patch does not introduce such a big "breaking change" (in UI behaviour), but people best do not notice it. |
||
|---|---|---|
| .. | ||
| test | ||
| .istanbul.yml | ||
| .nycrc.yml | ||
| base-x-5.0.1.js | ||
| bootstrap-3.4.1.js | ||
| bootstrap-5.3.8.js | ||
| comment.jsonld | ||
| commentmeta.jsonld | ||
| common.js | ||
| dark-mode-switch.js | ||
| eslint.config.js | ||
| jquery-3.7.1.js | ||
| kjua-0.10.0.js | ||
| legacy.js | ||
| package-lock.json | ||
| package.json | ||
| paste.jsonld | ||
| pastemeta.jsonld | ||
| prettify.js | ||
| privatebin.js | ||
| purify-3.4.1.js | ||
| showdown-2.1.0.js | ||
| types.jsonld | ||
| zlib-1.3.2.js | ||
| zlib-1.3.2.wasm | ||
| zlib.js | ||