summaryrefslogtreecommitdiffstats
path: root/template/en
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2012-02-08 16:51:48 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2012-02-08 16:51:48 +0100
commit686f3c40af0d189f86af06cc2db3b5c4080164d6 (patch)
tree95f59596093014dfa5d1477e7b75f8bb5b030918 /template/en
parent8190b97973f647c8f7b16d9f5e2f0b2092cab49c (diff)
downloadbugzilla-686f3c40af0d189f86af06cc2db3b5c4080164d6.tar.gz
bugzilla-686f3c40af0d189f86af06cc2db3b5c4080164d6.tar.xz
Bug 722161: Clickjacking is possible in "View All" with HTML attachments
r=dkl a=LpSolit
Diffstat (limited to 'template/en')
-rw-r--r--template/en/default/attachment/show-multiple.html.tmpl20
1 files changed, 16 insertions, 4 deletions
diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl
index e238e5f49..91768c0d3 100644
--- a/template/en/default/attachment/show-multiple.html.tmpl
+++ b/template/en/default/attachment/show-multiple.html.tmpl
@@ -88,10 +88,22 @@
</table>
[% IF a.is_viewable %]
- <iframe src="attachment.cgi?id=[% a.id %]" width="75%" height="350">
- <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
- <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
- </iframe>
+ [% IF a.contenttype == "text/html" %]
+ [%# For security reasons (clickjacking, embedded scripts), we never
+ # render HTML pages from here. The source code is displayed instead. %]
+ [% INCLUDE global/textarea.html.tmpl
+ minrows = 10
+ cols = 80
+ defaultcontent = a.data
+ readonly = 'readonly'
+ classes = 'viewall_frame'
+ %]
+ [% ELSE %]
+ <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
+ <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
+ <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
+ </iframe>
+ [% END %]
[% ELSE %]
<p><b>
Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*.