From fc904122e0c1b55f274bc4c8cd883c266176e34e Mon Sep 17 00:00:00 2001
From: Greg Roach <greg@subaqua.co.uk>
Date: Sun, 10 Oct 2021 00:29:23 +0100
Subject: [PATCH] Block javascript in HTML media files

---
 app/Factories/ImageFactory.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/app/Factories/ImageFactory.php b/app/Factories/ImageFactory.php
index 8764bdbcd6c..257afe685e4 100644
--- a/app/Factories/ImageFactory.php
+++ b/app/Factories/ImageFactory.php
@@ -27,6 +27,7 @@
 use Fisharebest\Webtrees\Mime;
 use Fisharebest\Webtrees\Registry;
 use Fisharebest\Webtrees\Webtrees;
+use Illuminate\Contracts\Filesystem\FileNotFoundException;
 use Imagick;
 use Intervention\Image\Constraint;
 use Intervention\Image\Exception\NotReadableException;
@@ -98,7 +99,7 @@ public function fileResponse(FilesystemOperator $filesystem, string $path, bool
             $filename = $download ? addcslashes(basename($path), '"') : '';
 
             return $this->imageResponse($filesystem->read($path), $mime_type, $filename);
-        } catch (FileNotFoundException $ex) {
+        } catch (UnableToReadFile | FilesystemException $ex) {
             return $this->replacementImageResponse((string) StatusCodeInterface::STATUS_NOT_FOUND);
         }
     }
@@ -343,8 +344,10 @@ protected function imageResponse(string $data, string $mime_type, string $filena
                 ->withHeader('X-Image-Exception', 'SVG image blocked due to XSS.');
         }
 
+        // HTML files may contain javascript, so use content-security-policy to disable it.
         $response = response($data)
-            ->withHeader('content-type', $mime_type);
+            ->withHeader('content-type', $mime_type)
+            ->withHeader('content-security-policy', 'script-src none');
 
         if ($filename === '') {
             return $response;