From 6ef9ba0305d8a4edfa37c7250139ae38ca44e6ca Mon Sep 17 00:00:00 2001
From: Damien Elmes <gpg@ankiweb.net>
Date: Sat, 1 Jun 2024 15:50:27 +0700
Subject: [PATCH] Switch 404 responses to plain text

Alternative fix which closes #3220
---
 qt/aqt/mediasrv.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/qt/aqt/mediasrv.py b/qt/aqt/mediasrv.py
index f7c7c50e9..9b436b1cb 100644
--- a/qt/aqt/mediasrv.py
+++ b/qt/aqt/mediasrv.py
@@ -270,10 +270,14 @@ def _handle_builtin_file_request(request: BundledFileRequest) -> Response:
     except FileNotFoundError:
         if dev_mode:
             print(f"404: {data_path}")
-        return flask.make_response(
+        resp = flask.make_response(
             f"Invalid path: {path}",
             HTTPStatus.NOT_FOUND,
         )
+        # we're including the path verbatim in our response, so we need to either use
+        # plain text, or escape HTML characters to reflecting untrusted input
+        resp.headers["Content-type"] = "text/plain"
+        return resp
     except Exception as error:
         if dev_mode:
             print(