Bug 728892: The attachment "Details" page is still vulnerable to Clickjacking with SVG or XHTML attachments

r/a=justdave
author: Frédéric Buclin <LpSolit@gmail.com> 2014-03-12 19:25:25 +0100
committer: Frédéric Buclin <LpSolit@gmail.com> 2014-03-12 19:25:25 +0100
commit: ca7b39aa66be9b4deea1ead8e6a788025759b80d (patch)
tree: 175449c1a84408cdd89c244c834d0f13f115358b /template/en/default/attachment/edit.html.tmpl
parent: d51abfd7e3e1fcc3eea37e72ab0f49f3e28950a2 (diff)
download: bugzilla-ca7b39aa66be9b4deea1ead8e6a788025759b80d.tar.gz
bugzilla-ca7b39aa66be9b4deea1ead8e6a788025759b80d.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index dbcef2a71..1ab30853c 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -197,7 +197,7 @@
                  readonly = 'readonly'
               %]
             [% ELSE %]
-              <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]">
+              <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]" sandbox>
                 <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
                 <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
               </iframe>
author	Frédéric Buclin <LpSolit@gmail.com>	2014-03-12 19:25:25 +0100
committer	Frédéric Buclin <LpSolit@gmail.com>	2014-03-12 19:25:25 +0100
commit	ca7b39aa66be9b4deea1ead8e6a788025759b80d (patch)
tree	175449c1a84408cdd89c244c834d0f13f115358b /template/en/default/attachment/edit.html.tmpl
parent	d51abfd7e3e1fcc3eea37e72ab0f49f3e28950a2 (diff)
download	bugzilla-ca7b39aa66be9b4deea1ead8e6a788025759b80d.tar.gz bugzilla-ca7b39aa66be9b4deea1ead8e6a788025759b80d.tar.xz