Previously, `Content-Disposition` was always set to `inline`, even for
HTML, which means that XSS could be easily acheived by uploading
malicious HTML and getting someone to click on the Matrix HTTP API link
for that piece of media. Now, we have an allowlist of safe values for
`Content-Type` that use `inline` while everything else defaults to
`attachment`, including HTML and SVG, which prevents XSS.
We also set the `Content-Security-Policy` header because why not.
A `set_header_or_panic` function is introduced to do what it says in
case Ruma begins providing better or worse values for the relevant
headers in the future. The safest way to handle such a case is simply
to panic.
I'm turning off the documentation related ones because they generate
way too many warnings, this kind of thing will need to be improved over
a longer timespan.
Functions using `services()` are allowed to pointlessly take `self`
because the existence of `services()` is a crime and the solution is
making the types store references to their dependencies and then going
through `self`, so just allowing the lint saves us from modifying some
code only to switch it back later. Much later. Getting rid of
`services()` will probably be an ordeal.
There was only one unsafe block (thankfully) but it also had no docs.
I did some reading and found out this in fact safe, but only for cursed
reasons, and documented them. Also, the name of the type was misleading,
as the entire point is the aliasing, and `Box` is already non-aliasing.
Except the 1 violation would have to be renamed in, like, every single
file in this project. So we're just enabling it so that we don't make
the same mistake in the future.
