PrivateBin/lib
rugk 7f1f40853e fix: prevent browsers from rendering unsafe attachments like HTML in a new tab
We do not want to santitize them with DOMPurify, as an attached file should
be returned exactly as it has been attached by the creator. And sharing HTML files
is IMHO a legitimate use case.

However, opening these in a new tab can result in (JS) code execution.
Yet again, opening a "bigger" preview for some file types like images or videos
is also a valid use case, which also should not be broken. That's why this is not done
in alll cases, but some mime type filtering still exists.

I also looked into whether a blocklist (for HTML and SVG) would make sense, but really
you cannot possibly define an exhausive list of "unsafe" mime types: https://security.stackexchange.com/a/167853/91425

That's why I use a quite strict allowlist approach here.
I skimmed https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/MIME_types/Common_types
for what could be common use cases/mime types, people _may_ actually want to get
rendered and this is the result.

Thus I am quite confident this patch does not introduce such a big "breaking change"
(in UI behaviour), but people best do not notice it.
2026-06-13 22:01:35 +02:00
..
Data address PHP 8.5 deprecation 2025-12-02 07:07:04 +01:00
Exception apply StyleCI recommendation 2025-11-19 10:02:15 +01:00
Model apply null coalescing operator, strict equality, avoid aliases, prefer empty 2025-11-20 08:19:14 +01:00
Persistence apply null coalescing operator, strict equality, avoid aliases, prefer empty 2025-11-20 08:19:14 +01:00
Proxy fix: cast statusCode to int before strict comparison 2026-05-25 23:34:57 +03:00
.htaccess updating shipped .htaccess files for Apache 2.4 as per https://httpd.apache.org/docs/2.4/upgrading.html#access - Thanks @EchoDev, fixes #194 2017-03-11 08:56:14 +01:00
Configuration.php fix: prevent browsers from rendering unsafe attachments like HTML in a new tab 2026-06-13 22:01:35 +02:00
Controller.php incrementing version 2026-05-03 08:10:16 +02:00
Filter.php Switch from binary bytes to SI-units 2025-07-23 21:06:20 +03:00
FormatV2.php apply null coalescing operator, strict equality, avoid aliases, prefer empty 2025-11-20 08:19:14 +01:00
I18n.php credit Persian translation & enable use of Persian plurals 2026-02-06 19:15:02 +01:00
Json.php apply StyleCI recommendation 2025-11-19 09:57:08 +01:00
Model.php enable strict types in PHP 2024-06-04 07:13:55 +02:00
Request.php apply null coalescing operator, strict equality, avoid aliases, prefer empty 2025-11-20 08:19:14 +01:00
TemplateSwitcher.php ensure template cookie cannot be a path 2025-11-11 17:52:48 +01:00
View.php apply StyleCI recommendation 2026-04-03 18:38:34 +02:00
Vizhash16x16.php apply null coalescing operator, strict equality, avoid aliases, prefer empty 2025-11-20 08:19:14 +01:00