Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This addresses a security vulnerability reported by xxx where uploading a malicious SVG, getting the direct file link, adding `s=1` to the end, and visiting the link directly will render the SVG in the browser and execute the malicious Javascript within the SVG. This adds a CSP (Content Security Policy) header with `default-src 'self'` to the display code. When this header is present it prevents all inline Javascript execution thus mitigating the XSS.
- Loading branch information