summaryrefslogtreecommitdiffstats
path: root/template/en/default/attachment
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2014-03-12 19:25:25 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2014-03-12 19:25:25 +0100
commitca7b39aa66be9b4deea1ead8e6a788025759b80d (patch)
tree175449c1a84408cdd89c244c834d0f13f115358b /template/en/default/attachment
parentd51abfd7e3e1fcc3eea37e72ab0f49f3e28950a2 (diff)
downloadbugzilla-ca7b39aa66be9b4deea1ead8e6a788025759b80d.tar.gz
bugzilla-ca7b39aa66be9b4deea1ead8e6a788025759b80d.tar.xz
Bug 728892: The attachment "Details" page is still vulnerable to Clickjacking with SVG or XHTML attachments
r/a=justdave
Diffstat (limited to 'template/en/default/attachment')
-rw-r--r--template/en/default/attachment/edit.html.tmpl2
-rw-r--r--template/en/default/attachment/show-multiple.html.tmpl2
2 files changed, 2 insertions, 2 deletions
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index dbcef2a71..1ab30853c 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -197,7 +197,7 @@
readonly = 'readonly'
%]
[% ELSE %]
- <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]">
+ <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]" sandbox>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
<a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
</iframe>
diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl
index a7c266b3c..e2c95cb80 100644
--- a/template/en/default/attachment/show-multiple.html.tmpl
+++ b/template/en/default/attachment/show-multiple.html.tmpl
@@ -78,7 +78,7 @@
classes = 'viewall_frame'
%]
[% ELSE %]
- <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
+ <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame" sandbox>
<b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
<a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
</iframe>