Serving raw data out of the database could inadvertently lead to XSS attacks, if a site allows users to insert content that is later served up raw by this plugin.
These could be avoided by configuring a separate "media serving" domain - e.g. if the plugin was running on datasette.io but the media serving domain was datasette-user-content.io.
Both domains would point at the same instance. The datasette-media plugin could be configured to only serve assets on datasette-user-content.io based on the incoming Host header.
Serving raw data out of the database could inadvertently lead to XSS attacks, if a site allows users to insert content that is later served up raw by this plugin.
These could be avoided by configuring a separate "media serving" domain - e.g. if the plugin was running on
datasette.iobut the media serving domain wasdatasette-user-content.io.Both domains would point at the same instance. The
datasette-mediaplugin could be configured to only serve assets ondatasette-user-content.iobased on the incomingHostheader.