diff options
Diffstat (limited to 'template')
-rw-r--r-- | template/en/default/attachment/edit.html.tmpl | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl index d1861a7d3..b9e2497fd 100644 --- a/template/en/default/attachment/edit.html.tmpl +++ b/template/en/default/attachment/edit.html.tmpl @@ -172,7 +172,7 @@ </b></p> </div> [% ELSIF attachment.is_viewable %] - <div > + <div> [% INCLUDE global/textarea.html.tmpl id = 'editFrame' name = 'comment' @@ -183,10 +183,27 @@ defaultcontent = (attachment.contenttype.match('^text\/')) ? attachment.data.replace('(.*\n|.+)', '>$1') : undef %] - <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]"> - <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. - <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b> - </iframe> + [%# The regexp is stolen from quoteUrls(), see Template.pm %] + [% safe_protocols = constants.SAFE_PROTOCOLS.join('|') %] + [% IF attachment.contenttype == 'text/plain' + && attachment.data.match("^($safe_protocols):" _ '[^\s<>\"]+[\w\/]$') %] + <p> + <a href="[% attachment.data FILTER html %]"> + [% IF attachment.datasize < 120 %] + [% attachment.data FILTER html %] + [% ELSE %] + [% attachment.data FILTER truncate(80) FILTER html %] + ... + [% attachment.data.match('.*(.{20})$').0 FILTER html %] + [% END %] + </a> + </p> + [% ELSE %] + <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]"> + <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. + <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b> + </iframe> + [% END %] <script type="text/javascript"> <!-- var patchviewerinstalled = 0; |