From b00d6a8ca060dab01fb9a9d5d2f6f02a6bac818c Mon Sep 17 00:00:00 2001 From: Test User Date: Fri, 17 Apr 2026 06:46:24 +0000 Subject: [PATCH] fix(GRO-642): restrict allowed logo MIME types to bitmap formats only Exclude image/svg+xml from the frontend allowlist since SVG poses greater XSS risk due to its ability to contain scripts, even with proper Content-Type validation. The server-side validation (commit 8182870) still accepts SVG and validates magic bytes, but the frontend restrict to safer bitmap formats as specified in the issue. Co-Authored-By: Paperclip --- apps/web/src/pages/Settings.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/web/src/pages/Settings.tsx b/apps/web/src/pages/Settings.tsx index 291b5e1..8d70d06 100644 --- a/apps/web/src/pages/Settings.tsx +++ b/apps/web/src/pages/Settings.tsx @@ -27,7 +27,7 @@ interface AuthProviderForm { const REDACTED = "••••••••"; -const ALLOWED_LOGO_TYPES = new Set(["image/png", "image/jpeg", "image/gif", "image/webp", "image/svg+xml"]); +const ALLOWED_LOGO_TYPES = new Set(["image/png", "image/jpeg", "image/gif", "image/webp"]); interface CurrentUser { id: string;