Closed carlosame closed 2 years ago
The transcoder keeps a list of allowed script media types based on the KEY_ALLOWED_SCRIPT_TYPES hint, which by default is:
KEY_ALLOWED_SCRIPT_TYPES
"text/ecmascript, application/ecmascript, text/javascript, application/javascript, application/java-archive"
Note the whitespaces after the commas. Given to how it is parsed, the mime types are stored with a whitespace at the beginning, resulting in only the first item of the list actually matching the contains mime type check:
contains
https://github.com/css4j/echosvg/blob/8016a5cd342dc16cfc25827ddd96d82e7a496e22/echosvg-transcoder/src/main/java/io/sf/carte/echosvg/transcoder/SVGAbstractTranscoder.java#L1094
As a result, valid script media types are not allowed.
The transcoder keeps a list of allowed script media types based on the
KEY_ALLOWED_SCRIPT_TYPEShint, which by default is:Note the whitespaces after the commas. Given to how it is parsed, the mime types are stored with a whitespace at the beginning, resulting in only the first item of the list actually matching the
containsmime type check:https://github.com/css4j/echosvg/blob/8016a5cd342dc16cfc25827ddd96d82e7a496e22/echosvg-transcoder/src/main/java/io/sf/carte/echosvg/transcoder/SVGAbstractTranscoder.java#L1094
As a result, valid script media types are not allowed.