Dont allow html render for RAW view

author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-09-03 20:55:01 +0300
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-09-03 20:56:17 +0300
commit: e3d1633a976f921112979030bd82f8953537c330 (patch)
tree: d6bb88190748460dac2ca5889b6c0b26573b1a22
parent: 6c1c2842ec4d41df25232349e51d9d54fab22f4c (diff)
download: gitlab-ce-e3d1633a976f921112979030bd82f8953537c330.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/app/controllers/projects/raw_controller.rb b/app/controllers/projects/raw_controller.rb
index 0d35f373e9c..0c23d411f4c 100644
--- a/app/controllers/projects/raw_controller.rb
+++ b/app/controllers/projects/raw_controller.rb
@@ -11,9 +11,17 @@ class Projects::RawController < Projects::ApplicationController
     @blob = Gitlab::Git::Blob.new(@repository, @commit.id, @ref, @path)
 
     if @blob.exists?
+      type = if @blob.mime_type =~ /html|javascript/
+               'text/plain; charset=utf-8'
+             else
+               @blob.mime_type
+             end
+
+      headers['X-Content-Type-Options'] = 'nosniff'
+
       send_data(
         @blob.data,
-        type: @blob.mime_type,
+        type: type,
         disposition: 'inline',
         filename: @blob.name
       )
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-09-03 20:55:01 +0300
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-09-03 20:56:17 +0300
commit	e3d1633a976f921112979030bd82f8953537c330 (patch)
tree	d6bb88190748460dac2ca5889b6c0b26573b1a22
parent	6c1c2842ec4d41df25232349e51d9d54fab22f4c (diff)
download	gitlab-ce-e3d1633a976f921112979030bd82f8953537c330.tar.gz