Dont allow html render for RAW view

Dmitriy Zaporozhets
1 parent 1de270c9
Showing 1 changed file with 9 additions and 1 deletions Show diff stats
app/controllers/projects/raw_controller.rb
@@ -11,9 +11,17 @@ class Projects::RawController &lt; Projects::ApplicationController
     @blob = Gitlab::Git::Blob.new(@repository, @commit.id, @ref, @path)
  
     if @blob.exists?
+      type = if @blob.mime_type =~ /html|javascript/
+               'text/plain; charset=utf-8'
+             else
+               @blob.mime_type
+             end
+
+      headers['X-Content-Type-Options'] = 'nosniff'
+
       send_data(
         @blob.data,
-        type: @blob.mime_type,
+        type: type,
         disposition: 'inline',
         filename: @blob.name
       )
...	...	@@ -11,9 +11,17 @@ class Projects::RawController < Projects::ApplicationController
11	11	@blob = Gitlab::Git::Blob.new(@repository, @commit.id, @ref, @path)
12	12
13	13	if @blob.exists?
	14	+ type = if @blob.mime_type =~ /html\|javascript/
	15	+ 'text/plain; charset=utf-8'
	16	+ else
	17	+ @blob.mime_type
	18	+ end
	19	+
	20	+ headers['X-Content-Type-Options'] = 'nosniff'
	21	+
14	22	send_data(
15	23	@blob.data,
16		- type: @blob.mime_type,
	24	+ type: type,
17	25	disposition: 'inline',
18	26	filename: @blob.name
19	27	)
...	...