From e237a35f0d51683511e87e68c2fe3fd9bdf3ef9e Mon Sep 17 00:00:00 2001
From: default
Date: Thu, 13 Feb 2025 19:38:54 +0100
Subject: Drop SVG attachments, as they may include JavaScript.

---
 html.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/html.c b/html.c
index 7b6495b..d713fbb 100644
--- a/html.c
+++ b/html.c
@@ -2242,6 +2242,11 @@ xs_html *html_entry(snac *user, xs_dict *msg, int read_only,
             if (content && xs_str_in(content, o_href) != -1)
                 continue;
 
+            /* drop silently any attachment that may include JavaScript */
+            if (strcmp(type, "image/svg+xml") == 0 ||
+                strcmp(type, "text/html") == 0)
+                continue;
+
             /* do this attachment include an icon? */
             const xs_dict *icon = xs_dict_get(a, "icon");
             if (xs_type(icon) == XSTYPE_DICT) {
-- 
cgit v1.2.3