On Tue 19.Jan'10 at 13:15:59 +0000, Dominic Hargreaves wrote: > I've noticed that there is some logic to override the mime type of > HTML attachments ($TrustHTMLAttachments config) to avoid javascript > XSS attacks in RT. > > > Now, let me start by saying that my practical knowledge of some of the > more recent XSS issues is by no means comprehensive, but it struck me > that as well as being confusing for the user, this protection is rather > incomplete. There are number of other content types that could supply > "active" content (application/javascript and friends for example - although > it appears that my browser doesn't attempt to execute javascript delivered > as application/javascript on its own). > > I'm led to believe that a better way of serving up as user supplied > (untrusted) files to add a Content-Disposition: attachment header. How does http://github.com/bestpractical/rt/commit/dde5b99 look for this to you? Best, Jesse
signature.asc
Description: Digital signature
_______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [email protected] 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 & 23 Dublin, Ireland - Mar 15 & 16 Boston, MA, USA - April 5 & 6 Washington DC, USA - Oct 25 & 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
