export: Fix XSS vulnerability

Mitigates CVE-2024-47880.
See GHSA-79jv-5226-783f

By setting the contentType parameter to text/html and choosing export
parameters which include a script in the text output, an attacker would
be able to execute arbitrary code in the browser, inside OpenRefine's
origin.

The contentType parameter is not actually supplied in any internal
calls, meaning that the content type declared by the exporter is always
used, so we drop support for this parameter.

Author: wetneb

Diff for: main/src/com/google/refine/commands/project/ExportRowsCommand.java

@@ -67,7 +67,8 @@ public class ExportRowsCommand extends Command {
     private static final Logger logger = LoggerFactory.getLogger("ExportRowsCommand");
 
     /**
-     * This command uses POST but is left CSRF-unprotected as it does not incur a state change.
+     * This command uses POST but is left CSRF-unprotected as it does not incur a state change. TODO: add CSRF
+     * protection anyway, as it does not cost much and could still have prevented an XSS vulnerability
      */
 
     @Deprecated(since = "3.9")
@@ -105,11 +106,9 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                 exporter = new CsvExporter('\t');
             }
 
-            String contentType = params.get("contentType");
-            if (contentType == null) {
-                contentType = exporter.getContentType();
-            }
-            response.setHeader("Content-Type", contentType);
+            response.setHeader("Content-Type", exporter.getContentType());
+            // in case the content-type is text/html, to avoid XSS attacks
+            response.setHeader("Content-Security-Policy", "script-src 'none'; connect-src 'none'");
 
             String preview = params.get("preview");
             if (!"true".equals(preview)) {