Commit e7fb5b6b authored by Frédéric Buclin's avatar Frédéric Buclin

Bug 716283: Clickjacking in the attachment "Details" page allows to bypass token checks

r=dkl a=LpSolit
parent e50fc496
......@@ -195,6 +195,16 @@
[% END %]
</a>
</p>
[% ELSIF attachment.contenttype == "text/html" %]
[%# For security reasons (clickjacking, embedded scripts), we never
# render HTML pages from here. The source code is displayed instead. %]
[% INCLUDE global/textarea.html.tmpl
id = 'viewFrame'
minrows = 10
cols = 80
defaultcontent = attachment.data
readonly = 'readonly'
%]
[% ELSE %]
<iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]">
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
......
......@@ -21,6 +21,8 @@
# style: (optional) The "style"-attribute of the textarea.
# classes: (optional) The "class"-attribute of the textarea.
# wrap: (deprecated; optional) The "wrap"-attribute of the textarea.
# disabled: (optional) Disable the textarea.
# readonly: (optional) Prevent the textarea from being edited.
# minrows: (required) Number of rows the textarea shall have initially
# and when not having focus.
# maxrows: (optional) Number of rows the textarea shall have if
......@@ -42,6 +44,7 @@
[% IF classes %] class="[% classes FILTER html %]"[% END %]
[% IF wrap %] wrap="[% wrap FILTER html %]"[% END %]
[% IF disabled %] disabled="disabled"[% END %]
[% IF readonly %] readonly="readonly"[% END %]
[% IF defaultrows && user.settings.zoom_textareas.value == 'off' %]
rows="[% defaultrows FILTER html %]"
[% ELSE %]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment