[jira] [Commented] (TIKA-3466) Cannot detect mimetype of xhtml file when script is first node instead of html

Nick Burch (Jira) Fri, 09 Jul 2021 02:05:06 -0700


    [ 
https://issues.apache.org/jira/browse/TIKA-3466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17377953#comment-17377953
 ]


Nick Burch commented on TIKA-3466:
----------------------------------

[~psakkanan] You  really need to be doing some xml parsing / validation then. 
Check it is a valid xml file with a validator. Check it is of the right schema 
/ DTD etc. Check all of that with a secure, locked down xml parser safe against 
entity expansion, external references etc

Anything that relies on "Tika thinks this is probably xml but probably not 
these specific subtypes of xml" when faced with malicious users who have the 
Tika source code is bound to fail

Use Tika for "should I reject this immediately" or "should I send this to my 
XML checker or my PDF checker". However, you should also review / watch 
https://twitter.com/angealbertini/status/1412453633170546695?s=11 for the "joy" 
of files which are valid as multiple file types!

> Cannot detect mimetype of xhtml file when script is first node instead of html
> ------------------------------------------------------------------------------
>
>                 Key: TIKA-3466
>                 URL: https://issues.apache.org/jira/browse/TIKA-3466
>             Project: Tika
>          Issue Type: Bug
>          Components: detector, mime
>    Affects Versions: 1.27
>            Reporter: Packiaraj Sakkanan
>            Priority: Major
>
> mime-type of below xhtml file deduced as 'application/xml' instead of 
> 'application/xhtml+xml' 
> {code:java}
> <?xml version="1.0" encoding="UTF-8" ?>
> <script xmlns="http://www.w3.org/1999/xhtml";><![CDATA[
>   alert(555);
>   ]]></script>
> {code}
>  
>  one possible solution is to add 'script' in tika-mimetypes.xml, like 
> {code:java}
> <mime-type type="application/xhtml+xml">
>   <!-- The magic priority for xhtml+xml needs to be lower than that of -->
>   <!--  files that contain HTML within them, e.g. mime emails -->
>   <magic priority="40">
>     <match value="&lt;html xmlns=" type="string" offset="0:8192"/>
>   </magic>
>   <root-XML namespaceURI="http://www.w3.org/1999/xhtml"; localName="html"/>
>   <root-XML namespaceURI="http://www.w3.org/1999/xhtml"; localName="script"/>
>   <glob pattern="*.xhtml"/>
>   <glob pattern="*.xht"/>
> </mime-type>
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (TIKA-3466) Cannot detect mimetype of xhtml file when script is first node instead of html

Reply via email to