From fc55ae56a457aa489da0ad72fac598f40d0df8c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Sat, 22 Apr 2017 19:14:24 +0200 Subject: Backport upstream bug 1235772: Display all text/* attachments as plain text in the "Details" page --- template/en/default/attachment/edit.html.tmpl | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl index 184cdde05..570b611b2 100644 --- a/template/en/default/attachment/edit.html.tmpl +++ b/template/en/default/attachment/edit.html.tmpl @@ -188,9 +188,12 @@ [% END %]

- [% ELSIF attachment.contenttype == "text/html" %] + [% ELSIF attachment.contenttype.match('^text/') %] [%# For security reasons (clickjacking, embedded scripts), we never - # render HTML pages from here. The source code is displayed instead. %] + # render HTML, XML or SVG pages directly. The source code for all + # text/* MIME types is displayed instead. If someone tries to abuse + # Bugzilla by manually editing the MIME type, it will be caught + # by the iframe below, thanks to its 'sandbox' attribute. %] [% INCLUDE global/textarea.html.tmpl id = 'viewFrame' minrows = 10 @@ -199,6 +202,8 @@ readonly = 'readonly' %] [% ELSE %] + [%# The 'sandbox' attribute causes all scripts and form submissions + # embedded in the attachment to be disabled, for security reasons. %]