[GH-ISSUE #306] Incorrect Content-Type for attachments #238

New issue

Closed

opened 2026-05-07 00:22:07 +02:00 by BreizhHardware · 2 comments

BreizhHardware commented

2026-05-07 00:22:07 +02:00

Owner

Originally created by @goodevilgenius on GitHub (Jun 2, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/306

Suppose I attach an html file, like this:

< file.html curl -X PUT ntfy.sh/topic -H "Filename: file.html" --data-binary @-

I get a response like (some parts left out):

{
  "event":"message",
  "topic":"topic",
  "attachment": {
    "name":"file.html",
    "type":"text/html; charset=utf-8",
    "url":"https://ntfy.sh/file/ABCDEFGHI.html"
  }
}

However, when I visit https://ntfy.sh/file/ABCDEFGHI.html, I expect that the "Content-Type" header in the response would be "text/html; charset=utf-8". Instead, it's "text/plain; charset=utf-8".

So, if I'm using the web app, I would expect that it would render correctly in the browser, but it doesn't.

Additionally, I don't know if this is a different bug, or caused by the same thing, but if I open that file from an Android notification, I would expect to be able to open that file in my browser, or "HTML Viewer". But only text editors are listed. I end up having to save the attachment to another location, and open it from a file manager.

Originally created by @goodevilgenius on GitHub (Jun 2, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/306 Suppose I attach an html file, like this: ```shell < file.html curl -X PUT ntfy.sh/topic -H "Filename: file.html" --data-binary @- ``` I get a response like (some parts left out): ```json { "event":"message", "topic":"topic", "attachment": { "name":"file.html", "type":"text/html; charset=utf-8", "url":"https://ntfy.sh/file/ABCDEFGHI.html" } } ``` However, when I visit https://ntfy.sh/file/ABCDEFGHI.html, I expect that the "Content-Type" header in the response would be "text/html; charset=utf-8". Instead, it's "text/plain; charset=utf-8". So, if I'm using the web app, I would expect that it would render correctly in the browser, but it doesn't. Additionally, I don't know if this is a different bug, or caused by the same thing, but if I open that file from an Android notification, I would expect to be able to open that file in my browser, or "HTML Viewer". But only text editors are listed. I end up having to save the attachment to another location, and open it from a file manager.

BreizhHardware

2026-05-07 00:22:07 +02:00

closed this issue
added the
question
label

BreizhHardware commented

2026-05-07 00:22:08 +02:00

Author

Owner

@binwiederhier commented on GitHub (Jun 2, 2022):

This is a feature, not a bug :-)

I go through great lengths to prevent sending text/html, because it's a giant security flaw to render user HTML in the scope of your domain. See https://github.com/binwiederhier/ntfy/blob/main/util/content_type_writer.go#L24

The Android thing is a feature request that you can put in a ticket for if you like.

(This ticket is a dup of #268.)

@binwiederhier commented on GitHub (Jun 2, 2022): This is a feature, not a bug :-) I go through great lengths to prevent sending text/html, because it's a giant security flaw to render user HTML in the scope of your domain. See https://github.com/binwiederhier/ntfy/blob/main/util/content_type_writer.go#L24 The Android thing is a feature request that you can put in a ticket for if you like. (This ticket is a dup of #268.)

BreizhHardware commented

2026-05-07 00:22:08 +02:00

Author

Owner

@goodevilgenius commented on GitHub (Jun 3, 2022):

Of course. That makes a lot of sense.

I'll open a new issue for the Android thing with more details.

Thanks!

@goodevilgenius commented on GitHub (Jun 3, 2022): Of course. That makes a lot of sense. I'll open a new issue for the Android thing with more details. Thanks!

BreizhHardware referenced this issue

2026-05-07 00:23:20 +02:00

[GH-ISSUE #459] Allow to put web-ui on separate port/host #350

BreizhHardware referenced this issue

2026-05-07 00:23:21 +02:00

[GH-ISSUE #459] Allow to put web-ui on separate port/host #350

BreizhHardware referenced this issue

2026-05-07 01:01:14 +02:00

[PR #249] [MERGED] Add disable option to web-root #1252

BreizhHardware referenced this issue

2026-05-07 01:02:42 +02:00

[PR #1329] [MERGED] [Featute] Add optional web app flag which requires a login for every action #1567