1235772 - Display all text/* attachments as plain text in the "Details" page

Status: RESOLVED FIXED

(Bugzilla :: Attachments & Requests, enhancement)

Description

[Frédéric Buclin]

There are still many users reporting bugs that you can do XSS with attachments if you use MIME types such as text/xml or SVG. Just see all the duplicates in bug 38862. One of the reasons is that BMO is way behind (still runs 4.2) and so didn't move to HTML5 capabilities available in Bugzilla 5.0 yet. With HTML5, you can use the 'sandbox' attribute on <iframe> which blocks all scripts and form submissions. This means that it's no longer possible to trigger popups from the Details page (since Bugzilla 5.0!). But this also means that it makes less sense to still try to render the generated XML or SVG page, because scripts are disabled. So my proposal is to always display the source code of attachments whose MIME type is text/* instead of doing it for text/html only. Of course, we must keep <iframe sandbox> in the code in case someone tries to fool the web browser by typing another MIME type, e.g. image/*, and expect the web browser to sniff its content to render it as a HTML/XML/SVG/... page.

This bug is independent of bug 549182.

Comment 1

[Frédéric Buclin]

Attachment: patch, v1

Comment 2

[Gervase Markham [:gerv]]

Comment on attachment 8702922 [details] [diff] [review]
patch, v1

Review of attachment 8702922 [details] [diff] [review]:
-----------------------------------------------------------------

r=gerv.

Gerv

Comment 3

[Frédéric Buclin]

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   160a960..76d1a3d  master -> master