Commit 578d62ae authored by Frédéric Buclin's avatar Frédéric Buclin

Bug 722161: Clickjacking is possible in "View All" with HTML attachments

r=dkl a=LpSolit
parent b4a60112
......@@ -210,6 +210,11 @@ div#update_container {
margin-left: 2%;
}
.viewall_frame {
width: 75%;
height: 350px;
}
.details span.bz_private{
border-left: 1px solid darkred;
padding-left: 0.5em;
......
......@@ -75,10 +75,22 @@
</table>
[% IF a.is_viewable %]
<iframe src="attachment.cgi?id=[% a.id %]" width="75%" height="350">
<b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
<a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
</iframe>
[% IF a.contenttype == "text/html" %]
[%# For security reasons (clickjacking, embedded scripts), we never
# render HTML pages from here. The source code is displayed instead. %]
[% INCLUDE global/textarea.html.tmpl
minrows = 10
cols = 80
defaultcontent = a.data
readonly = 'readonly'
classes = 'viewall_frame'
%]
[% ELSE %]
<iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
<b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
<a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
</iframe>
[% END %]
[% ELSE %]
<p><b>
Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment