Thanks to a comment from “Anon,” I’m auditing the media types used to serve files from the “Browse” links on the site. The browse interface is managed by Plack::App::Directory, which gets its media type mapping from this file. What PGXN::API does is simply change the mappings of some of those types to text/plain. As of this commit, files are served as plain text if:

• The strings “html”, “x-c”, “xml”, “calendar”, or “vcard” appear in the default media type; or
• The file name extension is one of .bat, .css, .eml, .js, .json, .mime, or .swf.

Are there other media types that should be disabled for safe browsing of user-submitted content?