Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
The remark42 image proxy fetches an arbitrary remote URL and re-serves the response from remark42's own origin. The download path decides whether the fetched resource is an image by looking only at the Content-Type header the remote server claims — it never inspects the actual bytes. The serving path then derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker hosts a URL that sets Content-Type to image/png …