[BUGFIX] Disallow file preview for image/svg+xml files
This PR fixes the issue I've privately disclosed in #284.
EDIT: Since this issue is now fixed I feel comfortable in sharing the details. In Jirafeau versions before 4.4.0, it was possible to exploit the File Preview functionality to execute JavaScript for every user that visited a specifically crafted file preview.
This was possible because image/svg+xml
were directly shown to the user. image/svg+xml
files can contain executable JavaScript, meaning that a malicious actor could upload an SVG file containing JavaScript. When a user would visit this page, the JavaScript embedded in this file would be executed. This could for example lead to account takeovers or redirect users to phishing pages.
As an example, the following SVG file could be uploaded: test.svg. When a user visits the Jirafeau preview link for this image in versions before 4.4.0, an alert box will open with the current URL.