Merge pull request #35805 from akhilnarang/fix-xml-html-svg

fix: download certain file types instead of rendering in browser
2026-01-12 11:59:25 +05:30 · 2026-01-12 11:59:25 +05:30 · c7dbd957d9
commit c7dbd957d9
parent 0390c8d933 e0e69a495c
2 changed files with 25 additions and 5 deletions
--- a/frappe/middlewares.py
+++ b/frappe/middlewares.py
@ -8,12 +8,27 @@ from werkzeug.middleware.shared_data import SharedDataMiddleware

 import frappe
 from frappe.utils import cstr, get_site_name
+from frappe.utils.response import FORCE_DOWNLOAD_EXTENSIONS


 class StaticDataMiddleware(SharedDataMiddleware):
 	def __call__(self, environ, start_response):
 		self.environ = environ
-		return super().__call__(environ, start_response)
+
+		def patch_start_response(status, headers, exc_info=None):
+			if (
+				(path := environ.get("PATH_INFO", ""))
+				and path.startswith("/files/")
+				and path.lower().endswith(FORCE_DOWNLOAD_EXTENSIONS)
+			):
+				from urllib.parse import quote
+
+				filename = Path(path).name
+				headers.append(("Content-Disposition", f"attachment; filename*=UTF-8''{quote(filename)}"))
+
+			return start_response(status, headers, exc_info)
+
+		return super().__call__(environ, patch_start_response)

 	def get_directory_loader(self, directory):
 		def loader(path):
--- a/frappe/utils/response.py
+++ b/frappe/utils/response.py
@ -298,10 +298,16 @@ def download_private_file(path: str) -> Response:
 	return send_private_file(path.split("/private", 1)[1])


+FORCE_DOWNLOAD_EXTENSIONS = (".svg", ".html", ".htm", ".xml")
+
+
 def send_private_file(path: str) -> Response:
 	path = os.path.join(frappe.local.conf.get("private_path", "private"), path.strip("/"))
 	filename = os.path.basename(path)

+	extension = os.path.splitext(path)[1]
+	as_attachment = extension.lower() in FORCE_DOWNLOAD_EXTENSIONS
+
 	if frappe.local.request.headers.get("X-Use-X-Accel-Redirect"):
 		path = "/protected/" + path
 		response = Response()
@ -310,15 +316,14 @@ def send_private_file(path: str) -> Response:
 		response.headers["Accept-Ranges"] = "bytes"
 		response.headers["Content-Type"] = mimetypes.guess_type(filename)[0] or "application/octet-stream"

+		if as_attachment:
+			response.headers["Content-Disposition"] = f"attachment; filename*=UTF-8''{quote(filename)}"
+
 	else:
 		filepath = frappe.utils.get_site_path(path)
 		if not os.path.exists(filepath):
 			raise NotFound

-		extension = os.path.splitext(path)[1]
-		blacklist = [".svg", ".html", ".htm", ".xml"]
-		as_attachment = extension.lower() in blacklist
-
 		response = werkzeug.utils.send_file(
 			filepath,
 			environ=frappe.local.request.environ,