tim/invoiceninja
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #6985 from theWorstComrade/huntr_xss_fix

Browse source 
Document upload - fix stored xss
This commit is contained in:
David Bomba 2021-11-20 07:07:33 +11:00 committed by GitHub
commit 9e489535cc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
app/Models/Document.php
View file

@ -43,7 +43,7 @@ class Document extends EntityModel
'application/msword', 'application/msword',
'application/excel', 'application/vnd.ms-excel', 'application/x-excel', 'application/x-msexcel', 'application/excel', 'application/vnd.ms-excel', 'application/x-excel', 'application/x-msexcel',
'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/postscript', 'image/svg+xml', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/postscript',
'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/vnd.ms-powerpoint',
]; ];
@ -57,9 +57,6 @@ class Document extends EntityModel
'ai' => [ 'ai' => [
'mime' => 'application/postscript', 'mime' => 'application/postscript',
], ],
'svg' => [
'mime' => 'image/svg+xml',
],
'jpeg' => [ 'jpeg' => [
'mime' => 'image/jpeg', 'mime' => 'image/jpeg',
], ],