Disable content sniffing on `PlainTextBytes` (#18359)

- Disable the browser's function to "sniff" for the content-type on the
provided plain text, this will prevent the possible usage of
user-controlled data being sent, which could be malicious.

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

diff --git a/modules/context/context.go b/modules/context/context.go
index 998eafe965fcd5c665c0dc839f85e20eec7cc1a8..0cbdfa023c6b62eaf23fead7f5fd1412e03341e7 100644 (file)
--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -292,6 +292,7 @@ func (ctx *Context) PlainTextBytes(status int, bs []byte) {
        }
        ctx.Resp.WriteHeader(status)
        ctx.Resp.Header().Set("Content-Type", "text/plain;charset=utf-8")
+       ctx.Resp.Header().Set("X-Content-Type-Options", "nosniff")
        if _, err := ctx.Resp.Write(bs); err != nil {
                log.Error("Write bytes failed: %v", err)
        }