From 564ceda1247f444bc7c20c6be01cf71f62c549f1 Mon Sep 17 00:00:00 2001
From: Runxi Yu <me@runxiyu.org>
Date: Thu, 03 Apr 2025 18:04:16 +0800
Subject: [PATCH] HTTP: Serve raw blobs with application/octet-stream

So we don't get XSSed.

Might be useful to use heuristics to detect whether it's displayable as
text/plain, though.

Fixes: https://todo.sr.ht/~runxiyu/forge/20#event-411435

---
 http_handle_repo_raw.go | 1 +

diff --git a/http_handle_repo_raw.go b/http_handle_repo_raw.go
index 4394e1865d1594a010b58af839f8803df19813da..75296d6929edb793aa359e07b303c2b506ebad0e 100644
--- a/http_handle_repo_raw.go
+++ b/http_handle_repo_raw.go
@@ -77,6 +77,7 @@ 				return
 			}
 			cost := time.Since(start).Nanoseconds()
 			commitPathFileRawCache.Set(cacheHandle, fileContent, cost)
+			writer.Header().Set("Content-Type", "application/octet-stream")
 			fmt.Fprint(writer, fileContent)
 			return
 		}

-- 
2.48.1