fix: PDF preview of XSS attack

shaohuzhang1 · shaohuzhang1 · commit 98982718c057 · 2026-04-17T14:59:37.000+08:00
diff --git a/apps/oss/serializers/file.py b/apps/oss/serializers/file.py
@@ -123,7 +123,7 @@ def get(self, with_valid=True):
             # 对于非范围请求或其他类型文件，返回完整内容
             headers = {
                 'Content-Type': content_type,
-                'Content-Disposition': f'{"inline" if file_type == "pdf" else "attachment"}; filename={encoded_filename}'
+                'Content-Disposition': f'"attachment"; filename={encoded_filename}'
             }
             return HttpResponse(
                 file_bytes,
diff --git a/ui/env.d.ts b/ui/env.d.ts
@@ -1,5 +1,6 @@
 /// <reference types="vite/client" />
 declare module 'katex'
+declare module 'pdfjs-dist/build/pdf.mjs'
 interface Window {
   sendMessage: ?((message: string, other_params_data: any) => void)
   chatUserProfile: ?(() => any)
diff --git a/ui/package.json b/ui/package.json
@@ -44,6 +44,7 @@
     "nanoid": "^5.1.5",
     "node-forge": "^1.3.1",
     "nprogress": "^0.2.0",
+    "pdfjs-dist": "^5.6.205",
     "pinia": "^3.0.1",
     "recorder-core": "^1.3.25011100",
     "sanitize-html": "^2.17.0",
diff --git a/ui/src/components/ai-chat/component/knowledge-source-component/ParagraphDocumentContent.vue b/ui/src/components/ai-chat/component/knowledge-source-component/ParagraphDocumentContent.vue

Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ def get(self, with_valid=True):`
`123`	`123`	`# 对于非范围请求或其他类型文件，返回完整内容`
`124`	`124`	`headers = {`
`125`	`125`	`'Content-Type': content_type,`
`126`		`- 'Content-Disposition': f'{"inline" if file_type == "pdf" else "attachment"}; filename={encoded_filename}'`
	`126`	`+ 'Content-Disposition': f'"attachment"; filename={encoded_filename}'`
`127`	`127`	`}`
`128`	`128`	`return HttpResponse(`
`129`	`129`	`file_bytes,`