From 578d62aea57e106bbb79e3c3e6a18aa58fbbe99f Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Wed, 8 Feb 2012 16:49:25 +0100 Subject: Bug 722161: Clickjacking is possible in "View All" with HTML attachments r=dkl a=LpSolit --- skins/standard/attachment.css | 5 +++++ .../en/default/attachment/show-multiple.html.tmpl | 20 ++++++++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/skins/standard/attachment.css b/skins/standard/attachment.css index b3c21bccf..3f037c956 100644 --- a/skins/standard/attachment.css +++ b/skins/standard/attachment.css @@ -210,6 +210,11 @@ div#update_container { margin-left: 2%; } +.viewall_frame { + width: 75%; + height: 350px; +} + .details span.bz_private{ border-left: 1px solid darkred; padding-left: 0.5em; diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl index 64b6ce767..8791e0dfe 100644 --- a/template/en/default/attachment/show-multiple.html.tmpl +++ b/template/en/default/attachment/show-multiple.html.tmpl @@ -75,10 +75,22 @@ [% IF a.is_viewable %] - + [% IF a.contenttype == "text/html" %] + [%# For security reasons (clickjacking, embedded scripts), we never + # render HTML pages from here. The source code is displayed instead. %] + [% INCLUDE global/textarea.html.tmpl + minrows = 10 + cols = 80 + defaultcontent = a.data + readonly = 'readonly' + classes = 'viewall_frame' + %] + [% ELSE %] + + [% END %] [% ELSE %]

Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*. -- cgit v1.2.3-24-g4f1b