summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--template/en/default/attachment/edit.html.tmpl9
1 files changed, 7 insertions, 2 deletions
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index d3d5dae95..31dd91c8c 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -190,9 +190,12 @@
[% END %]
</a>
</p>
- [% ELSIF attachment.contenttype == "text/html" %]
+ [% ELSIF attachment.contenttype.match('^text/') %]
[%# For security reasons (clickjacking, embedded scripts), we never
- # render HTML pages from here. The source code is displayed instead. %]
+ # render HTML, XML or SVG pages directly. The source code for all
+ # text/* MIME types is displayed instead. If someone tries to abuse
+ # Bugzilla by manually editing the MIME type, it will be caught
+ # by the iframe below, thanks to its 'sandbox' attribute. %]
[% INCLUDE global/textarea.html.tmpl
id = 'viewFrame'
minrows = 10
@@ -201,6 +204,8 @@
readonly = 'readonly'
%]
[% ELSE %]
+ [%# The 'sandbox' attribute causes all scripts and form submissions
+ # embedded in the attachment to be disabled, for security reasons. %]
<iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]" sandbox>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
<a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>