Update fix for potential XSS on /view (#8384)

* Update fix for potential XSS on /view This commit uses mimetypes to add more restricted filetypes to prevent from being served, since mimetypes are what browsers use to determine how to serve files. * Fix typo Fixed a typo that prevented the program from running
2025-06-16 00:05:32 +08:00 · 2025-06-02 06:52:44 -04:00 · 2025-06-02 06:52:44 -04:00 · 4f4f1c642a
commit 4f4f1c642a
parent 010954d277
1 changed files with 2 additions and 3 deletions
--- a/server.py
+++ b/server.py
@ -476,9 +476,8 @@ class PromptServer():
                        # Get content type from mimetype, defaulting to 'application/octet-stream'
                        content_type = mimetypes.guess_type(filename)[0] or 'application/octet-stream'

-                        # For security, force certain extensions to download instead of display
-                        file_extension = os.path.splitext(filename)[1].lower()
-                        if file_extension in {'.html', '.htm', '.js', '.css'}:
+                        # For security, force certain mimetypes to download instead of display
+                        if content_type in {'text/html', 'text/html-sandboxed', 'application/xhtml+xml', 'text/javascript', 'text/css'}:
                            content_type = 'application/octet-stream'  # Forces download

                        return web.FileResponse(