Function: sanitizeMimeType()
function sanitizeMimeType(
raw: string,
kind?: "document" | "audio" | "image" | "video",
): string;Defined in: src/batteries/llm/chat_common/helpers.ts:130
Validate a media mimeType for safe interpolation into a data:<mime>;base64,… URI, a Blob({type}), or a synthetic-description line.
Parameters
| Parameter | Type |
|---|---|
raw | string |
kind? | "document" | "audio" | "image" | "video" |
Returns
string
Remarks
A raw mimeType is attacker-influenced (it rides in on user uploads / tool output). The committee's sharpest finding was a mimeType like image/png;base64,<payload>;x= — interpolated into data:${mime};base64,${b64} it produces a DOUBLE ;base64,, letting a permissive data-URI parser decode the attacker's prefix instead of the real payload (a content-type confusion / injection). A \r\n in the mime is an HTTP-header-injection vector if the URI is ever reflected. We accept ONLY a strict type/subtype (no params, no whitespace, no ;/,); anything else collapses to the kind's generic safe subtype (so an image still decodes as an image) or application/octet-stream.