Dont allow html render for RAW view

c9b06887 · Dmitriy Zaporozhets · Wes Gurney · af49f2eb · c9b06887
Commit c9b06887 authored 11 years ago by Dmitriy Zaporozhets Committed by Wes Gurney 11 years ago
--- a/app/controllers/projects/raw_controller.rb
+++ b/app/controllers/projects/raw_controller.rb
@@ -11,9 +11,17 @@ class Projects::RawController < Projects::ApplicationController
    @blob = Gitlab::Git::Blob.new(@repository, @commit.id, @ref, @path)
  
    if @blob.exists?
+      type = if @blob.mime_type =~ /html|javascript/
+               'text/plain; charset=utf-8'
+             else
+               @blob.mime_type
+             end
+
+      headers['X-Content-Type-Options'] = 'nosniff'
+
      send_data(
        @blob.data,
-        type: @blob.mime_type,
+        type: type,
        disposition: 'inline',
        filename: @blob.name
      )