Check for commas in MIME type before generating preview
It was possible to bypass the preview check by sending a manipulated HTTP request with a MIME type like "image/png,text/html".
When parsing the Content-Type of a HTTP response, browsers see multiple MIME types, and the last one, text/html, takes precedence, allowing to execute potentially harmful JavaScript code.
This check was originally implemented to address CVE-2022-30110 then CVE-2024-12326.
git.p6c8.net / jirafeau / jirafeau.git / commit