groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-642): sanitize logo MIME type to prevent XSS in data URL rendering

Browse Source 
Add ALLOWED_LOGO_TYPES allowlist check before constructing data URL from
user-controlled logoBase64 and logoMimeType fields. Only MIME types that
the API explicitly accepts (image/png, image/jpeg, image/gif, image/webp,
image/svg+xml) can be rendered as data URLs.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Test User
2026-04-17 06:45:06 +00:00
parent 8182870d38
commit f8ea417799
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/pages/Settings.tsx
+3 -1
View File
@@ -27,6 +27,8 @@ interface AuthProviderForm {
const REDACTED = "••••••••"; const REDACTED = "••••••••";
const ALLOWED_LOGO_TYPES = new Set(["image/png", "image/jpeg", "image/gif", "image/webp", "image/svg+xml"]);
interface CurrentUser { interface CurrentUser {
id: string; id: string;
name: string; name: string;
@@ -326,7 +328,7 @@ issuerUrl: authForm.issuerUrl,
if (!loaded) return <p>Loading settings...</p>; if (!loaded) return <p>Loading settings...</p>;
const logoSrc = form.logoUrl ?? (form.logoBase64 && form.logoMimeType ? `data:${form.logoMimeType};base64,${form.logoBase64}` : null); const logoSrc = form.logoUrl ?? (form.logoBase64 && form.logoMimeType && ALLOWED_LOGO_TYPES.has(form.logoMimeType) ? `data:${form.logoMimeType};base64,${form.logoBase64}` : null);
return ( return (
<div style={{ maxWidth: 600 }}> <div style={{ maxWidth: 600 }}>