From 08c5d5b65da5792bb0782ebb6554fff4713ecc0c Mon Sep 17 00:00:00 2001
From: Jesse Gonyou <168374102+jessegonyou@users.noreply.github.com>
Date: Sun, 1 Jun 2025 21:02:49 -0400
Subject: [PATCH 1/2] Update fix for potential XSS on /view

This commit uses mimetypes to add more restricted filetypes to prevent from being served, since mimetypes are what browsers use to determine how to serve files.
---
 server.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/server.py b/server.py
index 6e283fe3177d..85aafbb365eb 100644
--- a/server.py
+++ b/server.py
@@ -476,9 +476,8 @@ async def view_image(request):
                         # Get content type from mimetype, defaulting to 'application/octet-stream'
                         content_type = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
 
-                        # For security, force certain extensions to download instead of display
-                        file_extension = os.path.splitext(filename)[1].lower()
-                        if file_extension in {'.html', '.htm', '.js', '.css'}:
+                        # For security, force certain mimetypes to download instead of display
+                        if or content_type in {'text/html', 'text/html-sandboxed', 'application/xhtml+xml', 'text/javascript', 'text/css'}:
                             content_type = 'application/octet-stream'  # Forces download
 
                         return web.FileResponse(

From 104f13834353df720c79a20bbc622334968d440f Mon Sep 17 00:00:00 2001
From: Jesse Gonyou <168374102+jessegonyou@users.noreply.github.com>
Date: Sun, 1 Jun 2025 22:21:23 -0400
Subject: [PATCH 2/2] Fix typo

Fixed a typo that prevented the program from running
---
 server.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server.py b/server.py
index 85aafbb365eb..aca67a2e7ed1 100644
--- a/server.py
+++ b/server.py
@@ -477,7 +477,7 @@ async def view_image(request):
                         content_type = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
 
                         # For security, force certain mimetypes to download instead of display
-                        if or content_type in {'text/html', 'text/html-sandboxed', 'application/xhtml+xml', 'text/javascript', 'text/css'}:
+                        if content_type in {'text/html', 'text/html-sandboxed', 'application/xhtml+xml', 'text/javascript', 'text/css'}:
                             content_type = 'application/octet-stream'  # Forces download
 
                         return web.FileResponse(