prevent xhtml files from being uploaded in the assets manager

Cockpit-HQ · Aug 14, 2023 · 34ab31e · 34ab31e
1 parent 95977dd
commit 34ab31e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 ## WIP
 
-- Prevent uploading .phps + .html files in assets manager
+- Prevent uploading .phps + .(x)html files in assets manager
 - Require verification for updating user data
 - Support post field projection after content population (via ..{fieldname})
 - Extract width + height and colors from uploaded svg files

diff --git a/modules/Assets/bootstrap.php b/modules/Assets/bootstrap.php
@@ -68,8 +68,11 @@
         $allowed   = $allowed == '*' ? true : str_replace([' ', ','], ['', '|'], preg_quote(is_array($allowed) ? implode(',', $allowed) : $allowed));
         $max_size  = $this->app->retrieve('assets/max_upload_size', 0);
 
-        $forbiddenExtension = ['php', 'phar', 'phtml', 'phps', 'htm', 'html', 'htaccess'];
-        $forbiddenMime = ['application/x-httpd-php', 'text/html'];
+        $forbiddenExtension = ['php', 'phar', 'phtml', 'phps', 'htm', 'html', 'xhtml', 'htaccess'];
+        $forbiddenMime = [
+            'application/x-httpd-php', 'application/x-php', 'text/x-php',
+            'text/html', 'application/xhtml+xml'
+        ];
 
         if (isset($files['name']) && is_array($files['name'])) {