fix(fetchkit): tighten content-type checks for markdown and text by chaliy · Pull Request #125 · everruns/fetchkit

chaliy · 2026-05-17T17:09:56Z

Substring-based Content-Type checks could misclassify text/html responses that include parameters like profile="text/markdown" as markdown or plain text, allowing raw HTML (including <script>/iframe) to bypass the HTML conversion sanitization.

Change is_markdown_content_type and is_plain_text_content_type to parse only the primary media type token (the part before ;) and compare it with eq_ignore_ascii_case after trimming.
Add regression assertions to the unit tests to ensure headers like text/html; profile="text/markdown" and text/html; profile="text/plain" are not treated as markdown/plain text.
This is a minimal behavioral fix that preserves existing functionality for legitimate text/markdown and text/plain media types while preventing parameter-based spoofing.

Ran cargo test -p fetchkit is_markdown_content_type and the updated test_is_markdown_content_type passed.
Ran cargo test -p fetchkit is_plain_text_content_type and the updated test_is_plain_text_content_type passed.
The change is limited to content-type detection and does not alter the HTML conversion code paths beyond restoring correct sanitization routing.

…ability

fix(fetchkit): tighten content-type checks for markdown and text

b90119d

chaliy added codex aardvark labels May 17, 2026 — with ChatGPT Codex Connector

chaliy added the codex label May 17, 2026

Merge branch 'main' into 2026-05-17-fix-content-type-detection-vulner…

0309834

…ability

chaliy merged commit 5cb749c into main May 17, 2026
11 checks passed

chaliy deleted the 2026-05-17-fix-content-type-detection-vulnerability branch May 17, 2026 18:57

Provide feedback