내 커뮤니티 업적 표시줄을 확대합니다.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now

Mark Solution

활동이 없어 이 대화는 잠겼습니다. 새 게시물을 작성해 주세요.

해결됨

HTML from DAM delivered with MIME type application/save

Avatar

Level 2
Level 2
15. 10. 15. 7:26:13 PM

I have some raw HTML files in DAM that I've activated.  In the DAM asset view, it's indicating "text/html" as the asset type.  When I visit the URL of the activated asset, the http response delivers content-type application/save.

text/html is defined as a mime type in the Sling Mime type service.

Are there default configurations around /content/dam/* forcing this?

Thoughts?

Thanks in advance.

조회 수

1.4K

답글

3
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
1 채택된 해결책 개

Avatar

정확한 답변 작성자:
Level 10
Level 10
15. 10. 15. 7:26:13 PM

Starting with 5.6 we decided to try to get the author-side XSS[1] free as well. This means it should not be possible for an author to upload unfiltered HTML or JS anywhere to the repository - and this includes the DAM. We understand that customers want to store HTML/JS in the DAM, so the compromise was to serve these files with content-disposition: attachment so they will not be executed in the browser. Though the 'author' works within the company and has to be trusted at the same time have to deal with attacker-model of the 'disgruntled employee' and hence the SafeBinaryGetServlet to make you aware & use at your own risk. Remove the black listing of "text/html" from [2] should resolve the issue.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting

[2] http://<host>:<port>/system/console/configMgr/com.day.cq.dam.core.impl.servlet.SafeBinaryGetServlet

원본 게시물의 솔루션 보기

조회 수

961

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
답변으로 이동
3 답변 개

Avatar

정확한 답변 작성자:
Level 10
Level 10
15. 10. 15. 7:26:13 PM

Starting with 5.6 we decided to try to get the author-side XSS[1] free as well. This means it should not be possible for an author to upload unfiltered HTML or JS anywhere to the repository - and this includes the DAM. We understand that customers want to store HTML/JS in the DAM, so the compromise was to serve these files with content-disposition: attachment so they will not be executed in the browser. Though the 'author' works within the company and has to be trusted at the same time have to deal with attacker-model of the 'disgruntled employee' and hence the SafeBinaryGetServlet to make you aware & use at your own risk. Remove the black listing of "text/html" from [2] should resolve the issue.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting

[2] http://<host>:<port>/system/console/configMgr/com.day.cq.dam.core.impl.servlet.SafeBinaryGetServlet

조회 수

962

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
답변으로 이동

Avatar

Level 1
Level 1
15. 10. 15. 7:26:13 PM

I am also experiencing the same problem on a 5.6.1 instance.

조회 수

978

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역

Avatar

Level 1
Level 1
15. 10. 15. 7:26:13 PM

A very informative answer. Thank you Sham!

조회 수

1.0K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
관련 대화
Issue in Sling Model instantiating from Sightly Solved

조회 수

818

Likes

0

답글

3
AEM Cloud Service: Runtime Exclusion of External Links from Link Checker Solved

조회 수

987

Likes

0

답글

3
Avoid/block AEM path based servlet post call from postman and curl

조회 수

102

Likes

0

답글

1
Page Creation on Author Instance from Publish-Based Form Submission

조회 수

54

Likes

0

답글

3
Adobe Core Bundle (cq-dam-cfm-graphql) Not Starting After Rolling Restart

조회 수

403

Likes

0

답글

2