https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42080
--- Comment #1 from Eric Phetteplace <[email protected]> --- FYI I tested my proposed changed (CSP header instead of attachment header) and the results look correct. I have two identical files named malicious.svg and malicious.svg.pdf with a `console.log("hello")` script in them: - malicious.svg: browser console shows "Executing inline script violates the following Content Security Policy directive 'script-src 'none''." and nothing is logged - malicious.svg.pdf: browser says "Error: Failed to load PDF document" because file is not a valid PDF -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
