Skip to content
1 min read · 153 words

Function: sanitizeMimeType()

ts
function sanitizeMimeType(
  raw: string,
  kind?: "document" | "audio" | "image" | "video",
): string;

Defined in: src/batteries/llm/chat_common/helpers.ts:130

Validate a media mimeType for safe interpolation into a data:<mime>;base64,… URI, a Blob({type}), or a synthetic-description line.

Parameters

ParameterType
rawstring
kind?"document" | "audio" | "image" | "video"

Returns

string

Remarks

A raw mimeType is attacker-influenced (it rides in on user uploads / tool output). The committee's sharpest finding was a mimeType like image/png;base64,<payload>;x= — interpolated into data:${mime};base64,${b64} it produces a DOUBLE ;base64,, letting a permissive data-URI parser decode the attacker's prefix instead of the real payload (a content-type confusion / injection). A \r\n in the mime is an HTTP-header-injection vector if the URI is ever reflected. We accept ONLY a strict type/subtype (no params, no whitespace, no ;/,); anything else collapses to the kind's generic safe subtype (so an image still decodes as an image) or application/octet-stream.