Skip to content

Commit

Permalink
[jan] SECURITY: Don't render SVG images in the browser to avoid XSS a…
Browse files Browse the repository at this point in the history 
…ttacks (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure Disclosure program).
  • Loading branch information
@yunosh
yunosh committed Sep 6, 2016
1 parent 2c4fa7e commit a55bf75
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 2 deletions.
3 changes: 3 additions & 0 deletions framework/Mime_Viewer/lib/Horde/Mime/Viewer/Images.php
View file
Expand Up @@ -72,6 +72,9 @@ protected function _getType()
/* image/x-png == image/png. */
return 'image/png';

case 'image/svg+xml':
return 'application/octet-stream';

default:
return $type;
}
Expand Down
4 changes: 2 additions & 2 deletions framework/Mime_Viewer/package.xml
View file
Expand Up @@ -21,7 +21,7 @@
</stability>
<license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
<notes>
*
* [jan] SECURITY: Don&apos;t render SVG images in the browser to avoid XSS attacks (Reported by Dawid Gounski via Beyond Security&apos;s SecuriTeam Secure Disclosure program).
</notes>
<contents>
<dir baseinstalldir="/" name="/">
Expand Down Expand Up @@ -1105,7 +1105,7 @@
<date>2016-07-28</date>
<license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
<notes>
*
* [jan] SECURITY: Don&apos;t render SVG images in the browser to avoid XSS attacks (Reported by Dawid Gounski via Beyond Security&apos;s SecuriTeam Secure Disclosure program).
</notes>
</release>
</changelog>
Expand Down

0 comments on commit a55bf75

Please sign in to comment.