Force to download xml and xsig files to prevent XSS attacks.

------ Forzamos la descarga de archivos xml y xsig para evitar ataques XSS.
NeoRazorX · May 16, 2022 · f1ca50d · f1ca50d
1 parent 7f3b156
commit f1ca50d
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/Core/App/AppRouter.php b/Core/App/AppRouter.php
@@ -206,8 +206,10 @@ private function download(string $filePath)
             ob_end_flush();
         }
 
-        // force to download svg files to prevent XSS attacks
-        if (strpos($filePath, '.svg') !== false) {
+        // force to download svg, xml and xsig files to prevent XSS attacks
+        $info = pathinfo($filePath);
+        $extension = strtolower($info['extension']);
+        if (in_array($extension, ['svg', 'xml', 'xsig'])) {
             header('Content-Disposition: attachment; filename="' . basename($filePath) . '"');
         }