Fix SVGs not rendering in issuables
What does this MR do and why?
In !95859 (merged) we set
all attachments to application/octet-stream
to avoid mislabeling
MIME types, such as sending Microsoft Word documents as ZIP
files. However, this prevented SVG files from showing in issues
because the Content-Type did not reflect an SVG file.
To fix this, carve out an exception for SVG files since this is the only image type that can be downgraded at the moment from inline to attachment. Note that there is no XSS issue as long as Content-Disposition is set to attachment. Browsers such as Firefox appear to render SVGs and ignore script tags unless the Content-Disposition is inline and the file is downloaded separately.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.