From 578d62aea57e106bbb79e3c3e6a18aa58fbbe99f Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Wed, 8 Feb 2012 16:49:25 +0100 Subject: Bug 722161: Clickjacking is possible in "View All" with HTML attachments r=dkl a=LpSolit --- .../en/default/attachment/show-multiple.html.tmpl | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'template/en/default') diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl index 64b6ce767..8791e0dfe 100644 --- a/template/en/default/attachment/show-multiple.html.tmpl +++ b/template/en/default/attachment/show-multiple.html.tmpl @@ -75,10 +75,22 @@ [% IF a.is_viewable %] - + [% IF a.contenttype == "text/html" %] + [%# For security reasons (clickjacking, embedded scripts), we never + # render HTML pages from here. The source code is displayed instead. %] + [% INCLUDE global/textarea.html.tmpl + minrows = 10 + cols = 80 + defaultcontent = a.data + readonly = 'readonly' + classes = 'viewall_frame' + %] + [% ELSE %] + + [% END %] [% ELSE %]

Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*. -- cgit v1.2.3-24-g4f1b