From cd011e6ce4f94220dfd0f5ae708801cf6435cea1 Mon Sep 17 00:00:00 2001
From: Sergey Ponomarev <stokito@gmail.com>
Date: Thu, 8 Jan 2026 02:28:33 +0200
Subject: [PATCH] SPARK-2380: insertPicture(): Check if the file extension is a
 known image type

---
 .../main/java/org/jivesoftware/spark/ui/MessageEntry.java   | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/core/src/main/java/org/jivesoftware/spark/ui/MessageEntry.java b/core/src/main/java/org/jivesoftware/spark/ui/MessageEntry.java
index f2df152f0..9992e9f7e 100644
--- a/core/src/main/java/org/jivesoftware/spark/ui/MessageEntry.java
+++ b/core/src/main/java/org/jivesoftware/spark/ui/MessageEntry.java
@@ -33,6 +33,7 @@ import javax.swing.text.*;
 import java.awt.*;
 import java.awt.image.BufferedImage;
 import java.net.URI;
+import java.net.URLConnection;
 import java.time.ZonedDateTime;
 import java.util.List;
 import java.util.*;
@@ -386,6 +387,11 @@ public class MessageEntry extends TimeStampedEntry
             if (path == null || path.isEmpty()) {
                 return false;
             }
+            // Check if the file extension is a known image type
+            String mimeType = URLConnection.getFileNameMap().getContentTypeFor(path);
+            if (mimeType == null || !mimeType.startsWith("image/")) {
+                return false;
+            }
 
             try (final CloseableHttpClient httpClient =
                      HttpClients.custom()