diff options
| -rw-r--r-- | template/en/default/attachment/edit.html.tmpl | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl index d3d5dae95..31dd91c8c 100644 --- a/template/en/default/attachment/edit.html.tmpl +++ b/template/en/default/attachment/edit.html.tmpl @@ -190,9 +190,12 @@ [% END %] </a> </p> - [% ELSIF attachment.contenttype == "text/html" %] + [% ELSIF attachment.contenttype.match('^text/') %] [%# For security reasons (clickjacking, embedded scripts), we never - # render HTML pages from here. The source code is displayed instead. %] + # render HTML, XML or SVG pages directly. The source code for all + # text/* MIME types is displayed instead. If someone tries to abuse + # Bugzilla by manually editing the MIME type, it will be caught + # by the iframe below, thanks to its 'sandbox' attribute. %] [% INCLUDE global/textarea.html.tmpl id = 'viewFrame' minrows = 10 @@ -201,6 +204,8 @@ readonly = 'readonly' %] [% ELSE %] + [%# The 'sandbox' attribute causes all scripts and form submissions + # embedded in the attachment to be disabled, for security reasons. %] <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]" sandbox> <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b> |