fix GHSA-m6hv-x64c-27mm: svg nohtml

2026-04-01 21:13:26 +10:00 · 2026-03-08 19:48:12 +00:00
parent 981a7cd9dd
commit 1c9f894e14
7 changed files with 73 additions and 33 deletions
--- a/README.md
+++ b/README.md
@@ -2907,7 +2907,9 @@ some notes on hardening
 * set `--rproxy 0` *if and only if* your copyparty is directly facing the internet (not through a reverse-proxy)
  * cors doesn't work right otherwise
 * if you allow anonymous uploads or otherwise don't trust the contents of a volume, you can prevent XSS with volflag `nohtml`
-  * this returns html documents as plaintext, and also disables markdown rendering
+  * this returns html documents and svg images as plaintext, and also disables markdown rendering
+  * the `nohtml` volflag also enables `noscript` which, on its own, prevents *most* javascript from running; enabling just `noscript` without `nohtml` makes it probably-safe (see below) to view html and svg files, but `nohtml` is necessary to block javascript in markdown documents
+    * "probably-safe" because it relies on `Content-Security-Policy` so it depends on the reverseproxy to forward it, and the browser to understand it, but `nohtml` (the nuclear option) always works
 * when running behind a reverse-proxy, listen on a unix-socket for tighter access control (and more performance); see [reverse-proxy](#reverse-proxy) or [`--help-bind`](https://copyparty.eu/cli/#bind-help-page)

 safety profiles: