fix: only allow png/jpg/bmp in cover/profile images

2026-04-14 00:18:03 +02:00 · 2019-09-21 23:10:49 -04:00
parent 5505628c8d
commit 96ab8d05aa
5 changed files with 76 additions and 46 deletions
--- a/test/uploads.js
+++ b/test/uploads.js
@@ -215,6 +215,13 @@ describe('Upload Controllers', function () {
 			});
 		});

+		it('should not allow svg uploads', function (done) {
+			socketUser.updateCover({ uid: 1 }, { uid: 1, imageData: 'data:image/svg;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+' }, function (err) {
+				assert.equal(err.message, '[[error:invalid-image]]');
+				done();
+			});
+		});
+
 		it('should not allow non image uploads', function (done) {
 			socketUser.uploadCroppedPicture({ uid: 1 }, { uid: 1, imageData: 'data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+' }, function (err) {
 				assert.equal(err.message, '[[error:invalid-image]]');
@@ -222,6 +229,13 @@ describe('Upload Controllers', function () {
 			});
 		});

+		it('should not allow svg uploads', function (done) {
+			socketUser.uploadCroppedPicture({ uid: 1 }, { uid: 1, imageData: 'data:image/svg;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+' }, function (err) {
+				assert.equal(err.message, '[[error:invalid-image]]');
+				done();
+			});
+		});
+
 		it('should delete users uploads if account is deleted', function (done) {
 			var jar;
 			var uid;