mirror of
https://github.com/vector-im/hydrogen-web.git
synced 2024-12-22 19:14:52 +01:00
Merge pull request #1074 from vector-im/bwindels/expose-create-blob-method-without-filter
expose method on BlobHandle to create a handle without mimetype filtering
This commit is contained in:
commit
a87edcf99e
@ -300,7 +300,8 @@ export class Platform {
|
||||
const file = input.files[0];
|
||||
this._container.removeChild(input);
|
||||
if (file) {
|
||||
resolve({name: file.name, blob: BlobHandle.fromBlob(file)});
|
||||
// ok to not filter mimetypes as these are local files
|
||||
resolve({name: file.name, blob: BlobHandle.fromBlobUnsafe(file)});
|
||||
} else {
|
||||
resolve();
|
||||
}
|
||||
|
@ -76,7 +76,7 @@ const DEFAULT_MIMETYPE = 'application/octet-stream';
|
||||
export class BlobHandle {
|
||||
/**
|
||||
* @internal
|
||||
* Don't use the constructor directly, instead use fromBuffer, fromBlob or fromBufferUnsafe
|
||||
* Don't use the constructor directly, instead use fromBuffer or fromBlobUnsafe
|
||||
* */
|
||||
constructor(blob, buffer = null) {
|
||||
this._blob = blob;
|
||||
@ -84,13 +84,6 @@ export class BlobHandle {
|
||||
this._url = null;
|
||||
}
|
||||
|
||||
/** Does not filter out mimetypes that could execute embedded javascript.
|
||||
* It's up to the callee of this method to ensure that the blob won't be
|
||||
* rendered by the browser in a way that could allow cross-signing scripting. */
|
||||
static fromBufferUnsafe(buffer, mimetype) {
|
||||
return new BlobHandle(new Blob([buffer], {type: mimetype}), buffer);
|
||||
}
|
||||
|
||||
static fromBuffer(buffer, mimetype) {
|
||||
mimetype = mimetype ? mimetype.split(";")[0].trim() : '';
|
||||
if (!ALLOWED_BLOB_MIMETYPES[mimetype]) {
|
||||
@ -99,8 +92,10 @@ export class BlobHandle {
|
||||
return new BlobHandle(new Blob([buffer], {type: mimetype}), buffer);
|
||||
}
|
||||
|
||||
static fromBlob(blob) {
|
||||
// ok to not filter mimetypes as these are local files
|
||||
/** Does not filter out mimetypes that could execute embedded javascript.
|
||||
* It's up to the callee of this method to ensure that the blob won't be
|
||||
* rendered by the browser in a way that could allow cross-signing scripting. */
|
||||
static fromBlobUnsafe(blob) {
|
||||
return new BlobHandle(blob);
|
||||
}
|
||||
|
||||
|
@ -64,7 +64,8 @@ export class ImageHandle {
|
||||
} else {
|
||||
throw new Error("canvas can't be turned into blob");
|
||||
}
|
||||
const blob = BlobHandle.fromBlob(nativeBlob);
|
||||
// unsafe is ok because it's a jpeg or png image
|
||||
const blob = BlobHandle.fromBlobUnsafe(nativeBlob);
|
||||
return new ImageHandle(blob, scaledWidth, scaledHeight, null);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user