fix(editor): Restrict what binary-data types can be viewed in the UI (#14685)

packages/@n8n/api-types/src/index.ts

@@ -12,6 +12,7 @@ export { createHeartbeatMessage, heartbeatMessageSchema } from './push/heartbeat
 export type { SendWorkerStatusMessage } from './push/worker';
 
 export type { BannerName } from './schemas/bannerName.schema';
+export { ViewableMimeTypes } from './schemas/binaryData.schema';
 export { passwordSchema } from './schemas/password.schema';
 
 export type {

packages/@n8n/api-types/src/schemas/binaryData.schema.ts

@@ -0,0 +1,32 @@
+/**
+ * List of MIME types that are considered safe to be viewed directly in a browser.
+ *
+ * Explicitly excluded from this list:
+ * - 'text/html': Excluded due to high XSS risks, as HTML can execute arbitrary JavaScript
+ * - 'image/svg+xml': Excluded because SVG can contain embedded JavaScript that might execute in certain contexts
+ * - 'application/pdf': Excluded due to potential arbitrary code-execution vulnerabilities in PDF rendering engines
+ */
+export const ViewableMimeTypes = [
+	'application/json',
+
+	'audio/mpeg',
+	'audio/ogg',
+	'audio/wav',
+
+	'image/bmp',
+	'image/gif',
+	'image/jpeg',
+	'image/jpg',
+	'image/png',
+	'image/tiff',
+	'image/webp',
+
+	'text/css',
+	'text/csv',
+	'text/markdown',
+	'text/plain',
+
+	'video/mp4',
+	'video/ogg',
+	'video/webm',
+];