diff --git a/src/main/scala/app/AccountController.scala b/src/main/scala/app/AccountController.scala
index 4628a36..9acfd8d 100644
--- a/src/main/scala/app/AccountController.scala
+++ b/src/main/scala/app/AccountController.scala
@@ -135,8 +135,9 @@
   get("/:userName/_avatar"){
     val userName = params("userName")
     getAccountByUserName(userName).flatMap(_.image).map { image =>
-      contentType = FileUtil.getMimeType(image)
-      new java.io.File(getUserUploadDir(userName), image)
+      outputUploadedRawData(
+        FileUtil.getMimeType(image),
+        new java.io.File(getUserUploadDir(userName), image))
     } getOrElse {
       contentType = "image/png"
       Thread.currentThread.getContextClassLoader.getResourceAsStream("noimage.png")
diff --git a/src/main/scala/app/ControllerBase.scala b/src/main/scala/app/ControllerBase.scala
index c31b90f..be8d37a 100644
--- a/src/main/scala/app/ControllerBase.scala
+++ b/src/main/scala/app/ControllerBase.scala
@@ -134,6 +134,16 @@
     if (path.startsWith("http")) path
     else baseUrl + super.url(path, params, false, false, false)
 
+  /** against XSS */
+  def outputUploadedRawData[DATATYPE](contentType: String, rawData: DATATYPE): DATATYPE = {
+    if(contentType.split(";").head.trim.toLowerCase.startsWith("text/html")){
+      this.contentType = "text/plain"
+    } else {
+      this.contentType = contentType
+    }
+    response.addHeader("X-Content-Type-Options", "nosniff")
+    rawData
+  }
 }
 
 /**
diff --git a/src/main/scala/app/IssuesController.scala b/src/main/scala/app/IssuesController.scala
index 9f6efcf..7abab1a 100644
--- a/src/main/scala/app/IssuesController.scala
+++ b/src/main/scala/app/IssuesController.scala
@@ -292,8 +292,7 @@
     (Directory.getAttachedDir(repository.owner, repository.name) match {
       case dir if(dir.exists && dir.isDirectory) =>
         dir.listFiles.find(_.getName.startsWith(params("file") + ".")).map { file =>
-          contentType = FileUtil.getMimeType(file.getName)
-          file
+          outputUploadedRawData(FileUtil.getMimeType(file.getName), file)
         }
       case _ => None
     }) getOrElse NotFound
diff --git a/src/main/scala/app/RepositoryViewerController.scala b/src/main/scala/app/RepositoryViewerController.scala
index 00f6755..192fe0f 100644
--- a/src/main/scala/app/RepositoryViewerController.scala
+++ b/src/main/scala/app/RepositoryViewerController.scala
@@ -214,8 +214,7 @@
         if(raw){
           // Download
           defining(JGitUtil.getContentFromId(git, objectId, false).get){ bytes =>
-            contentType = FileUtil.getContentType(path, bytes)
-            bytes
+            outputUploadedRawData(FileUtil.getContentType(path, bytes), bytes)
           }
         } else {
           repo.html.blob(id, repository, path.split("/").toList, JGitUtil.getContentInfo(git, path, objectId),
diff --git a/src/main/scala/app/WikiController.scala b/src/main/scala/app/WikiController.scala
index 5270d03..ea43491 100644
--- a/src/main/scala/app/WikiController.scala
+++ b/src/main/scala/app/WikiController.scala
@@ -164,8 +164,7 @@
     val path = multiParams("splat").head
 
     getFileContent(repository.owner, repository.name, path).map { bytes =>
-      contentType = FileUtil.getContentType(path, bytes)
-      bytes
+      outputUploadedRawData(FileUtil.getContentType(path, bytes), bytes)
     } getOrElse NotFound
   })