diff --git a/src/platform/web/Platform.js b/src/platform/web/Platform.js index be8c9970..50ec60a5 100644 --- a/src/platform/web/Platform.js +++ b/src/platform/web/Platform.js @@ -300,7 +300,8 @@ export class Platform { const file = input.files[0]; this._container.removeChild(input); if (file) { - resolve({name: file.name, blob: BlobHandle.fromBlob(file)}); + // ok to not filter mimetypes as these are local files + resolve({name: file.name, blob: BlobHandle.fromBlobUnsafe(file)}); } else { resolve(); } diff --git a/src/platform/web/dom/BlobHandle.js b/src/platform/web/dom/BlobHandle.js index 932fa53c..2d5231e0 100644 --- a/src/platform/web/dom/BlobHandle.js +++ b/src/platform/web/dom/BlobHandle.js @@ -76,7 +76,7 @@ const DEFAULT_MIMETYPE = 'application/octet-stream'; export class BlobHandle { /** * @internal - * Don't use the constructor directly, instead use fromBuffer, fromBlob or fromBufferUnsafe + * Don't use the constructor directly, instead use fromBuffer or fromBlobUnsafe * */ constructor(blob, buffer = null) { this._blob = blob; @@ -84,13 +84,6 @@ export class BlobHandle { this._url = null; } - /** Does not filter out mimetypes that could execute embedded javascript. - * It's up to the callee of this method to ensure that the blob won't be - * rendered by the browser in a way that could allow cross-signing scripting. */ - static fromBufferUnsafe(buffer, mimetype) { - return new BlobHandle(new Blob([buffer], {type: mimetype}), buffer); - } - static fromBuffer(buffer, mimetype) { mimetype = mimetype ? mimetype.split(";")[0].trim() : ''; if (!ALLOWED_BLOB_MIMETYPES[mimetype]) { @@ -99,8 +92,10 @@ export class BlobHandle { return new BlobHandle(new Blob([buffer], {type: mimetype}), buffer); } - static fromBlob(blob) { - // ok to not filter mimetypes as these are local files + /** Does not filter out mimetypes that could execute embedded javascript. + * It's up to the callee of this method to ensure that the blob won't be + * rendered by the browser in a way that could allow cross-signing scripting. */ + static fromBlobUnsafe(blob) { return new BlobHandle(blob); } diff --git a/src/platform/web/dom/ImageHandle.js b/src/platform/web/dom/ImageHandle.js index 4ac3a6cd..19fd8c59 100644 --- a/src/platform/web/dom/ImageHandle.js +++ b/src/platform/web/dom/ImageHandle.js @@ -64,7 +64,8 @@ export class ImageHandle { } else { throw new Error("canvas can't be turned into blob"); } - const blob = BlobHandle.fromBlob(nativeBlob); + // unsafe is ok because it's a jpeg or png image + const blob = BlobHandle.fromBlobUnsafe(nativeBlob); return new ImageHandle(blob, scaledWidth, scaledHeight, null); }