From 686f3c40af0d189f86af06cc2db3b5c4080164d6 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Wed, 8 Feb 2012 16:51:48 +0100 Subject: Bug 722161: Clickjacking is possible in "View All" with HTML attachments r=dkl a=LpSolit --- skins/standard/attachment.css | 5 +++++ .../en/default/attachment/show-multiple.html.tmpl | 20 ++++++++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/skins/standard/attachment.css b/skins/standard/attachment.css index 287160331..55e62f2b0 100644 --- a/skins/standard/attachment.css +++ b/skins/standard/attachment.css @@ -221,6 +221,11 @@ div#update_container { margin-left: 2%; } +.viewall_frame { + width: 75%; + height: 350px; +} + .details span.bz_private{ border-left: 1px solid darkred; padding-left: 0.5em; diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl index e238e5f49..91768c0d3 100644 --- a/template/en/default/attachment/show-multiple.html.tmpl +++ b/template/en/default/attachment/show-multiple.html.tmpl @@ -88,10 +88,22 @@ [% IF a.is_viewable %] - + [% IF a.contenttype == "text/html" %] + [%# For security reasons (clickjacking, embedded scripts), we never + # render HTML pages from here. The source code is displayed instead. %] + [% INCLUDE global/textarea.html.tmpl + minrows = 10 + cols = 80 + defaultcontent = a.data + readonly = 'readonly' + classes = 'viewall_frame' + %] + [% ELSE %] + + [% END %] [% ELSE %]

Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*. -- cgit v1.2.3-24-g4f1b