]> git.p6c8.net - jirafeau_project.git/commitdiff
[BUGFIX] Disallow file preview for image/svg+xml files
authorMrWouterNL <wouter@dedroog.com>
Mon, 21 Mar 2022 19:46:14 +0000 (20:46 +0100)
committerMrWouterNL <wouter@dedroog.com>
Mon, 21 Mar 2022 19:46:14 +0000 (20:46 +0100)
lib/functions.js.php
lib/functions.php

index 7cf1da8644261a52476a3fcfc880fc33efdac3cb..14fad1da5fa98eadc2473c90cba890ad6161cba3 100644 (file)
@@ -182,16 +182,17 @@ function show_link (reference, delete_code, crypt_key, date)
         }
 
         // Test if content can be previewed
         }
 
         // Test if content can be previewed
-         type = document.getElementById('file_select').files[0].type;
-         if (type.startsWith('image/') ||
-                type.startsWith('audio') ||
-                type.startsWith('text/plain') ||
-                type.startsWith('video/'))
-         {
+        type = document.getElementById('file_select').files[0].type;
+        if ((type.startsWith('image/')
+                || type.startsWith('audio')
+                || type.startsWith('text/plain')
+                || type.startsWith('video/'))
+            && !type.includes('image/svg+xml'))
+        {
             document.getElementById('preview_link').href = preview_link_href;
             document.getElementById('preview_link_text').innerHTML = web_root + preview_link_href;
             document.getElementById('upload_finished_preview').style.display = '';
             document.getElementById('preview_link').href = preview_link_href;
             document.getElementById('preview_link_text').innerHTML = web_root + preview_link_href;
             document.getElementById('upload_finished_preview').style.display = '';
-         }
+        }
     }
 
     // Direct download link
     }
 
     // Direct download link
index c831b73e944c29257a367757ad86a79e5a6b03cd..6e5c88650422f9e34cbafee1c148fd3c1ac692a1 100644 (file)
@@ -511,7 +511,7 @@ function jirafeau_is_viewable($mime)
     if (!empty($mime)) {
         $viewable = array('image', 'video', 'audio');
         $decomposed = explode('/', $mime);
     if (!empty($mime)) {
         $viewable = array('image', 'video', 'audio');
         $decomposed = explode('/', $mime);
-        if (in_array($decomposed[0], $viewable)) {
+        if (in_array($decomposed[0], $viewable) && strpos($mime, 'image/svg+xml') === false) {
             return true;
         }
         $viewable = array('text/plain');
             return true;
         }
         $viewable = array('text/plain');

patrick-canterino.de