Lenin Alevski 26d5972ab5 Whitelist for preview files from the backend (#1651) ...

This PR adds a whitelist of safe files to download with
`Content-Disposition: inline;` from the backend, all other files will be
force download via `Content-Disposition: attachment;` existing svg files
will still be rendered in a secure way via the html `image` tag.

reference: https://digi.ninja/blog/svg_xss.php

Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>

2022-03-02 14:18:43 -06:00

6.8 KiB

Raw Blame History

View Raw