From a1fd3199d67b38deb13d9f532ba36219a74d7d22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Tue, 24 Feb 2026 22:48:18 +0100 Subject: [PATCH] Render HTML as plain text via attachment_view controller This makes it consistent with the public paths and ensures all HTML is only rendered in our sandbox --- src/Controller/AttachmentFileController.php | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/src/Controller/AttachmentFileController.php b/src/Controller/AttachmentFileController.php index c16c1e85..278bcf6e 100644 --- a/src/Controller/AttachmentFileController.php +++ b/src/Controller/AttachmentFileController.php @@ -88,8 +88,10 @@ class AttachmentFileController extends AbstractController $file_path = $this->helper->toAbsoluteInternalFilePath($attachment); $response = new BinaryFileResponse($file_path); + $response = $this->forbidHTMLContentType($response); + //Set header content disposition, so that the file will be downloaded - $response->setContentDisposition(ResponseHeaderBag::DISPOSITION_ATTACHMENT); + $response->setContentDisposition(ResponseHeaderBag::DISPOSITION_ATTACHMENT, $attachment->getFilename()); return $response; } @@ -105,8 +107,23 @@ class AttachmentFileController extends AbstractController $file_path = $this->helper->toAbsoluteInternalFilePath($attachment); $response = new BinaryFileResponse($file_path); + $response = $this->forbidHTMLContentType($response); + //Set header content disposition, so that the file will be downloaded - $response->setContentDisposition(ResponseHeaderBag::DISPOSITION_INLINE); + $response->setContentDisposition(ResponseHeaderBag::DISPOSITION_INLINE, $attachment->getFilename()); + + return $response; + } + + private function forbidHTMLContentType(BinaryFileResponse $response): BinaryFileResponse + { + $mimeType = $response->getFile()->getMimeType(); + + if ($mimeType === 'text/html') { + $mimeType = 'text/plain'; + } + + $response->headers->set('Content-Type', $mimeType); return $response; }