Is it possible for the file extension to say one thing and the MIME type to say ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		lindenr on July 6, 2012 \| parent \| context \| favorite \| on: A file that's both an acceptable HTML page and a J... Is it possible for the file extension to say one thing and the MIME type to say something else? So the file extension could be .jpg (reassuring the user that it is only an image) but the HTTP response says it is text/html? I think a similar exploit was used recently with .svg images - they can contain javascript (being XML) which will be executed by the browser. Not sure about the details however.

luchs on July 6, 2012 [–]

>I think a similar exploit was used recently with .svg images - they can contain javascript (being XML) which will be executed by the browser. Not sure about the details however.

However, the JavaScript shouldn't execute if the image is embedded via <img>.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact