Expand my Community achievements bar.

SOLVED

HTML from DAM delivered with MIME type application/save

Avatar

Level 2
Level 2
10/15/15 7:26:13 PM

I have some raw HTML files in DAM that I've activated.  In the DAM asset view, it's indicating "text/html" as the asset type.  When I visit the URL of the activated asset, the http response delivers content-type application/save.

text/html is defined as a mime type in the Sling Mime type service.

Are there default configurations around /content/dam/* forcing this?

Thoughts?

Thanks in advance.

Views

1.3K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:26:13 PM

Starting with 5.6 we decided to try to get the author-side XSS[1] free as well. This means it should not be possible for an author to upload unfiltered HTML or JS anywhere to the repository - and this includes the DAM. We understand that customers want to store HTML/JS in the DAM, so the compromise was to serve these files with content-disposition: attachment so they will not be executed in the browser. Though the 'author' works within the company and has to be trusted at the same time have to deal with attacker-model of the 'disgruntled employee' and hence the SafeBinaryGetServlet to make you aware & use at your own risk. Remove the black listing of "text/html" from [2] should resolve the issue.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting

[2] http://<host>:<port>/system/console/configMgr/com.day.cq.dam.core.impl.servlet.SafeBinaryGetServlet

View solution in original post

Views

812

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:26:13 PM

Starting with 5.6 we decided to try to get the author-side XSS[1] free as well. This means it should not be possible for an author to upload unfiltered HTML or JS anywhere to the repository - and this includes the DAM. We understand that customers want to store HTML/JS in the DAM, so the compromise was to serve these files with content-disposition: attachment so they will not be executed in the browser. Though the 'author' works within the company and has to be trusted at the same time have to deal with attacker-model of the 'disgruntled employee' and hence the SafeBinaryGetServlet to make you aware & use at your own risk. Remove the black listing of "text/html" from [2] should resolve the issue.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting

[2] http://<host>:<port>/system/console/configMgr/com.day.cq.dam.core.impl.servlet.SafeBinaryGetServlet

Views

813

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 1
Level 1
10/15/15 7:26:13 PM

I am also experiencing the same problem on a 5.6.1 instance.

Views

829

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
10/15/15 7:26:13 PM

A very informative answer. Thank you Sham!

Views

877

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
How dispatcher cache flush works for cached content with selector in AEM CS(Cloud Service)? Solved

Views

129

Likes

0

Replies

4
Some metadata not extracted by DAM update asset workflow

Views

67

Likes

2

Replies

0
Pages are appearing white while migrating code from on-premise to cloud

Views

129

Like

1

Replies

3
Cloud server is throwing error with felix plugin

Views

90

Likes

0

Replies

1
AEM Cannot extract metadata from pdf

Views

207

Likes

0

Replies

9