SECURITY: Ensure only image uploads can be inlined

This prevents malicious files (for example special crafted XMLs) to be
used in XSS attacks.

app/controllers/uploads_controller.rb

@@ -207,10 +207,10 @@ class UploadsController < ApplicationController
       content_type: MiniMime.lookup_by_filename(upload.original_filename)&.content_type
     }
 
-    if params[:inline]
-      opts[:disposition] = "inline"
-    elsif !FileHelper.is_supported_image?(upload.original_filename)
+    if !FileHelper.is_supported_image?(upload.original_filename)
       opts[:disposition] = "attachment"
+    elsif params[:inline]
+      opts[:disposition] = "inline"
     end
 
     file_path = Discourse.store.path_for(upload)