Drop SVG attachments, as they may include JavaScript.

author: default 2025-02-13 19:38:54 +0100
committer: default 2025-02-13 19:38:54 +0100
commit: e237a35f0d51683511e87e68c2fe3fd9bdf3ef9e (patch)
tree: 605f7dde1d92aa32c6336fef9ef349c0d9c7787a /html.c
parent: Added a default MAX_JSON_DEPTH inside xs_json.h. (diff)
download: penes-snac2-e237a35f0d51683511e87e68c2fe3fd9bdf3ef9e.tar.gz
penes-snac2-e237a35f0d51683511e87e68c2fe3fd9bdf3ef9e.tar.xz
penes-snac2-e237a35f0d51683511e87e68c2fe3fd9bdf3ef9e.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/html.c b/html.c
index 7b6495b..d713fbb 100644
--- a/html.c
+++ b/html.c
@@ -2242,6 +2242,11 @@ xs_html *html_entry(snac *user, xs_dict *msg, int read_only,
            if (content && xs_str_in(content, o_href) != -1)
                continue;
+            /* drop silently any attachment that may include JavaScript */
+            if (strcmp(type, "image/svg+xml") == 0 ||
+                strcmp(type, "text/html") == 0)
+                continue;
            /* do this attachment include an icon? */
            const xs_dict *icon = xs_dict_get(a, "icon");
            if (xs_type(icon) == XSTYPE_DICT) {
author	default	2025-02-13 19:38:54 +0100
committer	default	2025-02-13 19:38:54 +0100
commit	e237a35f0d51683511e87e68c2fe3fd9bdf3ef9e (patch)
tree	605f7dde1d92aa32c6336fef9ef349c0d9c7787a /html.c
parent	Added a default MAX_JSON_DEPTH inside xs_json.h. (diff)
download	penes-snac2-e237a35f0d51683511e87e68c2fe3fd9bdf3ef9e.tar.gz penes-snac2-e237a35f0d51683511e87e68c2fe3fd9bdf3ef9e.tar.xz penes-snac2-e237a35f0d51683511e87e68c2fe3fd9bdf3ef9e.zip