[question] Shouldn't the MIME type for SVG be 'image/svg+xml' instead of 'image/svg'?

somenonymous / OshiUpload

Ephemeral file sharing engine

Do What The F*ck You Want To Public License

164 stars 23 forks source link

[question] Shouldn't the MIME type for SVG be 'image/svg+xml' instead of 'image/svg'? #11

Open gonubana opened 1 year ago

gonubana commented 1 year ago

It seem like the 0e456c2c15aed77330e208354397a975aa4ce090 commit used 'image/svg' instead of 'image/svg+xml'. I wasn't able to comment on that commit by the way.

somenonymous commented 1 year ago

Will look into it, but I left it image/svg assuming there are more similar dangerous subtypes of SVG. If you can confirm image/svg+xml is the only exploitable type and some browsers won't execute JS in other subtypes, we can change it to image/svg+xml. There is not much information or general consensus between browsers on this yet.