mirror of
https://github.com/discourse/discourse.git
synced 2024-12-13 11:33:46 +08:00
3f7658cc6e
* strip out the href and xlink:href attributes from use element that are _not_ anchors in svgs which can be used for XSS * adding the content-disposition: attachment ensures that uploaded SVGs cannot be opened and executed using the XSS exploit. svgs embedded using an img tag do not suffer from the same exploit |
||
---|---|---|
.. | ||
base_store.rb | ||
local_store.rb | ||
s3_store.rb | ||
to_s3_migration.rb |