mirror of
https://github.com/PrivateBin/PrivateBin.git
synced 2026-07-18 00:46:17 +00:00
We do not want to santitize them with DOMPurify, as an attached file should be returned exactly as it has been attached by the creator. And sharing HTML files is IMHO a legitimate use case. However, opening these in a new tab can result in (JS) code execution. Yet again, opening a "bigger" preview for some file types like images or videos is also a valid use case, which also should not be broken. That's why this is not done in alll cases, but some mime type filtering still exists. I also looked into whether a blocklist (for HTML and SVG) would make sense, but really you cannot possibly define an exhausive list of "unsafe" mime types: https://security.stackexchange.com/a/167853/91425 That's why I use a quite strict allowlist approach here. I skimmed https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/MIME_types/Common_types for what could be common use cases/mime types, people _may_ actually want to get rendered and this is the result. Thus I am quite confident this patch does not introduce such a big "breaking change" (in UI behaviour), but people best do not notice it. |
||
|---|---|---|
| .. | ||
| Data | ||
| Exception | ||
| Model | ||
| Persistence | ||
| Proxy | ||
| .htaccess | ||
| Configuration.php | ||
| Controller.php | ||
| Filter.php | ||
| FormatV2.php | ||
| I18n.php | ||
| Json.php | ||
| Model.php | ||
| Request.php | ||
| TemplateSwitcher.php | ||
| View.php | ||
| Vizhash16x16.php | ||