Drop SVG attachments, as they may include JavaScript. - snac2 - Fork of https://codeberg.org/grunfink/snac2

commit e237a35f0d51683511e87e68c2fe3fd9bdf3ef9e
parent 4ccb52de741c90b086847193c425be0b97bdbf53
Author: default <nobody@localhost>
Date:   Thu, 13 Feb 2025 19:38:54 +0100

Drop SVG attachments, as they may include JavaScript.

Diffstat:
M html.c  | 5 +++++

1 file changed, 5 insertions(+), 0 deletions(-)
diff --git a/html.c b/html.c
@@ -2242,6 +2242,11 @@ xs_html *html_entry(snac *user, xs_dict *msg, int read_only,
             if (content && xs_str_in(content, o_href) != -1)
                 continue;
 
+            /* drop silently any attachment that may include JavaScript */
+            if (strcmp(type, "image/svg+xml") == 0 ||
+                strcmp(type, "text/html") == 0)
+                continue;
+
             /* do this attachment include an icon? */
             const xs_dict *icon = xs_dict_get(a, "icon");
             if (xs_type(icon) == XSTYPE_DICT) {

	snac2 Fork of https://codeberg.org/grunfink/snac2
	git clone https://git.inz.fi/snac2
	Log \| Files \| Refs \| README \| LICENSE