[UPDT] HORILLA: Add SVG security middleware to prevent script execution

2025-09-08 11:32:08 +05:30
parent d4a33a50da
commit 255dd0ddb4
1 changed files with 19 additions and 0 deletions
--- a/horilla/horilla_middlewares.py
+++ b/horilla/horilla_middlewares.py
@@ -14,6 +14,8 @@ from horilla.settings import MIDDLEWARE
 MIDDLEWARE.append("base.middleware.CompanyMiddleware")
 MIDDLEWARE.append("horilla.horilla_middlewares.MethodNotAllowedMiddleware")
 MIDDLEWARE.append("horilla.horilla_middlewares.ThreadLocalMiddleware")
+MIDDLEWARE.append("horilla.horilla_middlewares.SVGSecurityMiddleware")
+MIDDLEWARE.append("accessibility.middlewares.AccessibilityMiddleware")
 MIDDLEWARE.append("accessibility.middlewares.AccessibilityMiddleware")
 MIDDLEWARE.append("base.middleware.ForcePasswordChangeMiddleware")
 MIDDLEWARE.append("base.middleware.TwoFactorAuthMiddleware")
@@ -43,3 +45,20 @@ class MethodNotAllowedMiddleware:
        if isinstance(response, HttpResponseNotAllowed):
            return render(request, "405.html")
        return response
+
+
+class SVGSecurityMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+
+        # Apply security headers to SVG files
+        if request.path.endswith(".svg") and response.status_code == 200:
+            response["Content-Security-Policy"] = (
+                "default-src 'none'; style-src 'unsafe-inline';"
+            )
+            response["X-Content-Type-Options"] = "nosniff"
+
+        return response