misc: do not transform, and restrict, uploaded HTML files (#67872)
This commit is contained in:
parent
9a34833f01
commit
69ab751d32
|
@ -94,6 +94,11 @@ class FileDirectory(Directory):
|
|||
else:
|
||||
raise errors.TraversalError()
|
||||
|
||||
# force potential HTML upload to be used as-is (not decorated with theme)
|
||||
# and with minimal permissions
|
||||
response.filter = {}
|
||||
response.set_header('Content-Security-Policy', 'default-src \'none\';')
|
||||
|
||||
if file.content_type:
|
||||
response.set_content_type(file.content_type)
|
||||
else:
|
||||
|
|
|
@ -1684,6 +1684,12 @@ class FormPage(Directory, FormTemplateMixin):
|
|||
if tempfile is None:
|
||||
raise errors.TraversalError()
|
||||
response = get_response()
|
||||
|
||||
# force potential HTML upload to be used as-is (not decorated with theme)
|
||||
# and with minimal permissions
|
||||
response.filter = {}
|
||||
response.set_header('Content-Security-Policy', 'default-src \'none\';')
|
||||
|
||||
if tempfile['content_type']:
|
||||
response.set_content_type(tempfile['content_type'])
|
||||
else:
|
||||
|
|
Loading…
Reference in New Issue