package storage import ( "strings" ) // sanitizeFilename removes characters that could cause header injection in Content-Disposition. func sanitizeFilename(name string) string { var b strings.Builder b.Grow(len(name)) for _, r := range name { // Strip control chars, newlines, null bytes, quotes, semicolons, backslashes if r < 0x20 || r == 0x7f || r == '"' || r == ';' || r == '\\' || r == '\x00' { b.WriteRune('_') } else { b.WriteRune(r) } } return b.String() } // isInlineContentType returns true for media types that browsers should // display inline (images, video, audio, PDF). Everything else triggers a // download via Content-Disposition: attachment. func isInlineContentType(ct string) bool { return strings.HasPrefix(ct, "image/") || strings.HasPrefix(ct, "video/") || strings.HasPrefix(ct, "audio/") || ct == "application/pdf" }