diff options
| author | Jonathan Tran <jonnytran@gmail.com> | 2021-01-12 22:45:19 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-12 22:45:19 -0500 |
| commit | 81467e6f35f343b911c09f746deca869a48da4c8 (patch) | |
| tree | 1b759007789bc0dbeeb543d54739ccf8b8dfb434 /integrations/download_test.go | |
| parent | 9465e60504284699078e620f7c892a9685d91458 (diff) | |
| download | gitea-81467e6f35f343b911c09f746deca869a48da4c8.tar.gz gitea-81467e6f35f343b911c09f746deca869a48da4c8.zip | |
Display SVG files as images instead of text (#14101)
* Change to display SVG files as images
* Remove unsafe styles from SVG CSP
* Add integration test to test SVG headers
* Add config setting to disable SVG rendering
* Add test for img tag when loading SVG image
* Remove the Raw view button for svg files since we don't fully support this
* Fix copyright year
* Rename and move config setting
* Add setting to cheat sheet in docs
* Fix so that comment matches cheat sheet
* Add allowing styles in CSP based on pull request feedback
* Re-enable raw button since we show SVG styles now
* Change so that SVG files are editable
* Add UI to toggle between source and rendered image for SVGs
* Change to show blame button for SVG images
* Fix to update ctx data
* Add test for DetectContentType when file is longer than sniffLen
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Diffstat (limited to 'integrations/download_test.go')
| -rw-r--r-- | integrations/download_test.go | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/integrations/download_test.go b/integrations/download_test.go index 6bc5e5a9af..305155e9ac 100644 --- a/integrations/download_test.go +++ b/integrations/download_test.go @@ -23,6 +23,20 @@ func TestDownloadByID(t *testing.T) { assert.Equal(t, "# repo1\n\nDescription for repo1", resp.Body.String()) } +func TestDownloadByIDForSVGUsesSecureHeaders(t *testing.T) { + defer prepareTestEnv(t)() + + session := loginUser(t, "user2") + + // Request raw blob + req := NewRequest(t, "GET", "/user2/repo2/raw/blob/6395b68e1feebb1e4c657b4f9f6ba2676a283c0b") + resp := session.MakeRequest(t, req, http.StatusOK) + + assert.Equal(t, "default-src 'none'; style-src 'unsafe-inline'; sandbox", resp.HeaderMap.Get("Content-Security-Policy")) + assert.Equal(t, "image/svg+xml", resp.HeaderMap.Get("Content-Type")) + assert.Equal(t, "nosniff", resp.HeaderMap.Get("X-Content-Type-Options")) +} + func TestDownloadByIDMedia(t *testing.T) { defer prepareTestEnv(t)() @@ -34,3 +48,17 @@ func TestDownloadByIDMedia(t *testing.T) { assert.Equal(t, "# repo1\n\nDescription for repo1", resp.Body.String()) } + +func TestDownloadByIDMediaForSVGUsesSecureHeaders(t *testing.T) { + defer prepareTestEnv(t)() + + session := loginUser(t, "user2") + + // Request raw blob + req := NewRequest(t, "GET", "/user2/repo2/media/blob/6395b68e1feebb1e4c657b4f9f6ba2676a283c0b") + resp := session.MakeRequest(t, req, http.StatusOK) + + assert.Equal(t, "default-src 'none'; style-src 'unsafe-inline'; sandbox", resp.HeaderMap.Get("Content-Security-Policy")) + assert.Equal(t, "image/svg+xml", resp.HeaderMap.Get("Content-Type")) + assert.Equal(t, "nosniff", resp.HeaderMap.Get("X-Content-Type-Options")) +} |