Block javascript in HTML media files

fisharebest · Oct 9, 2021 · fc90412 · fc90412
1 parent dd7fc1b
commit fc90412
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/app/Factories/ImageFactory.php b/app/Factories/ImageFactory.php
@@ -27,6 +27,7 @@
 use Fisharebest\Webtrees\Mime;
 use Fisharebest\Webtrees\Registry;
 use Fisharebest\Webtrees\Webtrees;
+use Illuminate\Contracts\Filesystem\FileNotFoundException;
 use Imagick;
 use Intervention\Image\Constraint;
 use Intervention\Image\Exception\NotReadableException;
@@ -98,7 +99,7 @@ public function fileResponse(FilesystemOperator $filesystem, string $path, bool
             $filename = $download ? addcslashes(basename($path), '"') : '';
 
             return $this->imageResponse($filesystem->read($path), $mime_type, $filename);
-        } catch (FileNotFoundException $ex) {
+        } catch (UnableToReadFile | FilesystemException $ex) {
             return $this->replacementImageResponse((string) StatusCodeInterface::STATUS_NOT_FOUND);
         }
     }
@@ -343,8 +344,10 @@ protected function imageResponse(string $data, string $mime_type, string $filena
                 ->withHeader('X-Image-Exception', 'SVG image blocked due to XSS.');
         }
 
+        // HTML files may contain javascript, so use content-security-policy to disable it.
         $response = response($data)
-            ->withHeader('content-type', $mime_type);
+            ->withHeader('content-type', $mime_type)
+            ->withHeader('content-security-policy', 'script-src none');
 
         if ($filename === '') {
             return $response;