fix #10162 (comment)

mtrezza · mtrezza · commit 08a6bc7223a9 · 2026-03-09T23:21:15.000Z
diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
@@ -1175,6 +1175,9 @@ describe('(GHSA-v5hf-f4c3-m5rv) Stored XSS via .svgz, .xht, .xml, .xsl, .xslt fi
     }
   });
 
+  // Headers are intentionally omitted below so that the middleware parses _ContentType
+  // from the JSON body and sets it as the content-type header. When X-Parse-Application-Id
+  // is sent as a header, the middleware skips body parsing and _ContentType is ignored.
   it('blocks extensionless upload with application/xhtml+xml content type', async () => {
     const xhtContent = Buffer.from(
       '<?xml version="1.0"?><html xmlns="http://www.w3.org/1999/xhtml"><body><script>alert(1)</script></body></html>'

Original file line number	Diff line number	Diff line change
`@@ -1175,6 +1175,9 @@ describe('(GHSA-v5hf-f4c3-m5rv) Stored XSS via .svgz, .xht, .xml, .xsl, .xslt fi`
`1175`	`1175`	`}`
`1176`	`1176`	`});`
`1177`	`1177`
	`1178`	`+ // Headers are intentionally omitted below so that the middleware parses _ContentType`
	`1179`	`+ // from the JSON body and sets it as the content-type header. When X-Parse-Application-Id`
	`1180`	`+ // is sent as a header, the middleware skips body parsing and _ContentType is ignored.`
`1178`	`1181`	`it('blocks extensionless upload with application/xhtml+xml content type', async () => {`
`1179`	`1182`	`const xhtContent = Buffer.from(`
`1180`	`1183`	`'<?xml version="1.0"?><html xmlns="http://www.w3.org/1999/xhtml"><body><script>alert(1)</script></body></html>'`