mirror of
https://github.com/discourse/discourse.git
synced 2025-02-07 10:06:32 +08:00
31e31ef449
* strip out the href and xlink:href attributes from use element that are _not_ anchors in svgs which can be used for XSS * adding the content-disposition: attachment ensures that uploaded SVGs cannot be opened and executed using the XSS exploit. svgs embedded using an img tag do not suffer from the same exploit |
||
|---|---|---|
| .. | ||
| base_store.rb | ||
| local_store.rb | ||
| s3_store.rb | ||
| to_s3_migration.rb | ||