From 564ceda1247f444bc7c20c6be01cf71f62c549f1 Mon Sep 17 00:00:00 2001
From: Runxi Yu <me@runxiyu.org>
Date: Thu, 3 Apr 2025 18:04:16 +0800
Subject: HTTP: Serve raw blobs with application/octet-stream

So we don't get XSSed.

Might be useful to use heuristics to detect whether it's displayable as
text/plain, though.

Fixes: https://todo.sr.ht/~runxiyu/forge/20#event-411435
---
 http_handle_repo_raw.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/http_handle_repo_raw.go b/http_handle_repo_raw.go
index 4394e18..75296d6 100644
--- a/http_handle_repo_raw.go
+++ b/http_handle_repo_raw.go
@@ -77,6 +77,7 @@ func httpHandleRepoRaw(writer http.ResponseWriter, request *http.Request, params
 			}
 			cost := time.Since(start).Nanoseconds()
 			commitPathFileRawCache.Set(cacheHandle, fileContent, cost)
+			writer.Header().Set("Content-Type", "application/octet-stream")
 			fmt.Fprint(writer, fileContent)
 			return
 		}
-- 
cgit v1.2.3