fix: allow svg in image-proxy

alexdln · alexdln · commit 05fc15b38d27 · 2026-02-28T14:50:15.000Z
diff --git a/server/api/registry/image-proxy/index.get.ts b/server/api/registry/image-proxy/index.get.ts
@@ -164,9 +164,8 @@ export default defineEventHandler(async event => {
 
     const contentType = response.headers.get('content-type') || 'application/octet-stream'
 
-    // Only allow raster/vector image content types, but block SVG to prevent
-    // embedded JavaScript execution (SVGs can contain <script> tags, event handlers, etc.)
-    if (!contentType.startsWith('image/') || contentType.includes('svg')) {
+    // Allow raster/vector image content types (we don't inject external content into DOM, so SVG is allowed too)
+    if (!contentType.startsWith('image/')) {
       await response.body?.cancel()
       return {place: 'contentType', url, sig, reqUrl: event.node.req.url, reqOrigUrl: event.node.req.originalUrl}
       // throw createError({
