Fix SVGs not rendering in issuables (!96398) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-make-svg-show-again into master Aug 26, 2022

What does this MR do and why?

In !95859 (merged) we set all attachments to application/octet-stream to avoid mislabeling MIME types, such as sending Microsoft Word documents as ZIP files. However, this prevented SVG files from showing in issues because the Content-Type did not reflect an SVG file.

To fix this, carve out an exception for SVG files since this is the only image type that can be downgraded at the moment from inline to attachment. Note that there is no XSS issue as long as Content-Disposition is set to attachment. Browsers such as Firefox appear to render SVGs and ignore script tags unless the Content-Disposition is inline and the file is downloaded separately.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Aug 26, 2022 by Stan Hu

Fix SVGs not rendering in issuables

What does this MR do and why?

MR acceptance checklist

Merge request reports