On Tue, Feb 02, 2010 at 11:22:56AM -0800, Jesse Vincent wrote:
> On Tue 19.Jan'10 at 13:15:59 +, Dominic Hargreaves wrote:
> > I've noticed that there is some logic to override the mime type of
> > HTML attachments ($TrustHTMLAttachments config) to avoid javascript
> > XSS attacks in RT.
> >
>
On Tue 19.Jan'10 at 13:15:59 +, Dominic Hargreaves wrote:
> I've noticed that there is some logic to override the mime type of
> HTML attachments ($TrustHTMLAttachments config) to avoid javascript
> XSS attacks in RT.
>
>
> Now, let me start by saying that my practical knowledge of some of
On Tue, Jan 19, 2010 at 01:15:59PM +, Dominic Hargreaves wrote:
> I've noticed that there is some logic to override the mime type of
> HTML attachments ($TrustHTMLAttachments config) to avoid javascript
> XSS attacks in RT.
Sorry, I've been on Jury Duty since this came in and there was a sm
I've noticed that there is some logic to override the mime type of
HTML attachments ($TrustHTMLAttachments config) to avoid javascript
XSS attacks in RT.
This was flagged up by a user who was, not unreasonably, confused that
this meant that HTML attachments just resulted in the browser displaying