Closed
Bug 219358
Opened 21 years ago
Closed 21 years ago
attachments with MIME type "application/xhtml+xml" cannot be viewed in the edit page
Categories
(Bugzilla :: Attachments & Requests, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: steffen.wilberg, Assigned: gerv)
References
()
Details
(Keywords: xhtml)
Attachments
(1 file, 1 obsolete file)
4.18 KB,
patch
|
justdave
:
review+
kiko
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030914 Firebird/0.6.1+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030914 Firebird/0.6.1+ Attachments with MIME type "application/xhtml+xml" are not displayed in the edit page. Reproducible: Always Steps to Reproduce: 1. Click on "Edit" next to an attachment which has the MIME type "application/xhtml+xml" Actual Results: On the right side of the edit page, an error is displayed: "Attachment cannot be viewed because its MIME type is not either text/*, image/*, or application/vnd.mozilla.*. Download the attachment instead." Expected Results: Bugzilla should display the attachment.
Comment 1•21 years ago
|
||
*** Bug 219513 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 2•21 years ago
|
||
Moving to Bugzilla product - this is why I didn't find this bug before filing the dupe. It's a Bugzilla bug, because this MIME type can only be displayed inline on certain browsers, and so need special support. Gerv
Component: Bugzilla: Other moz.org Issues → Attachments & Requests
Product: mozilla.org → Bugzilla
Version: other → 2.10
Comment 3•21 years ago
|
||
idea: since other than UserAgent sniffing (which isn't terribly reliable) there's not an easy way to figure out who can support what, how about if we display the iframe regardless, but pass a different action than "view" (like "inline"). If it's a type we think they can display, it just falls through to "view" anyway. If it's not a type we think all browsers support, that action can display an empty page within the IFRAME that explains it something like this: This attachment is of type <mime-type>, which is not universally viewable in all browsers. If you think your browser should be able to view it, <a>view it anyway</a>. NOTE: If your browser really can't view it, this will probably result in a file download dialog. which then does action=view within the IFRAME when you click the "view it anyway" link.
Assignee | ||
Comment 4•21 years ago
|
||
That sounds a bit clunky... As the web moves more to XHTML, XHTML attachments will become the norm. At what stage will we swap over to just displaying it, or will we have this intermediate screen for evermore? On the other hand, if you just want to request a review or change a flag, currently you have to load the whole patch, even if it's big. Is there an argument for having this feature for all patches? Or all patches over a certain size? Gerv
Comment 5•21 years ago
|
||
> there's not an easy way to figure out who can support what
There's the "Accept:" header....
Assignee | ||
Comment 6•21 years ago
|
||
Yeah, how would that be for a plan? If the attachment is of an explicit type mentioned in the Accept: header, then display it inline. Mozilla's Accept header is: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 Changing to this algorithm, for Mozilla at least, would mean - we stopped displaying inline text/*, where * is not html, xml or plain - we stopped displaying inline image/*, where * is not png, jpeg or gif - we stopped displaying inline application/vnd.mozilla.* - we started displaying inline application/xml,application/xhtml+xml However, IE's Accept: header is far less useful, so this probably wouldn't work for IE. How about the current set, _plus_ any explicitly mentioned in the Accept: header? Gerv
Reporter | ||
Comment 7•21 years ago
|
||
Our accept header says */* at the end, i.e. it accepts any content, it just prefers other content types (higher "q"). Any browser I know has got an unknown content type dialog, e.g. IE displays a download dialog when served with application/xhtml+xml. So why don't we just let the browser decide what to do with it, display it, use a plugin, or show the unknown content dialog? At least we should keep the current set, _plus_ any explicitly mentioned in the Accept header, as Gerv suggested. Because if we don't display */*, and only the text subcategories xml, text and plain, we'd stop displaying e.g. text/css.
Assignee | ||
Comment 8•21 years ago
|
||
> So why don't we just let the browser decide what to do with it, display it, use > a plugin, or show the unknown content dialog? Because people going to the Edit Attachment screen don't necessarily want to download the attachment. So, we don't want to serve it to them unless it's an iframe-able type. > At least we should keep the current set, _plus_ any explicitly mentioned in the > Accept header, as Gerv suggested. That's sounding like the best plan to me. I'll whip up a patch. Gerv
Comment 9•21 years ago
|
||
Yeah, that was the reason I shied away from using the Accept header before, was because Mozilla has */* in it, and we know serving */* in this situation isn't reliable. Keeping the existing set plus any *explicitly* (not wildcarded) listed in the Accept header would probably work. Or maybe a q-value of 0.2 or better (since the */* as a q=0.1)
Assignee | ||
Comment 10•21 years ago
|
||
This patch changes the behaviour to let through all text/*, image/*, and application/vnd.mozilla.* to Mozilla. In addition, it lets through any type explicitly mentioned (not by wildcard) in the Accept: header. Gerv
Assignee | ||
Comment 11•21 years ago
|
||
Taking. Gerv
Assignee: endico → gerv
Severity: minor → normal
OS: Windows XP → All
Hardware: PC → All
Target Milestone: --- → Bugzilla 2.18
Assignee | ||
Comment 12•21 years ago
|
||
Comment on attachment 135077 [details] [diff] [review] Patch v.1 Requesting review from steffen.wilberg@web.de. Gerv
Attachment #135077 -
Flags: review?(steffen.wilberg)
Reporter | ||
Comment 13•21 years ago
|
||
Comment on attachment 135077 [details] [diff] [review] Patch v.1 It's a great honour for me to be requested for review! I have to note however that I'm not a perl hacker. And I know nothing about the Bugzilla code. But nevertheless, this code looks good. I've also tested this algorithm and it works as it should. >+ my $accept = join(",", $cgi->Accept()); Move this line down, above the if ($accept). We don't need to look at the accept header if the contenttype is text/ or image/ or xul. >+ Attachment cannot be viewed because its MIME type is not one that >+ your browser is able to display. We should tell the user the contenttype. We should also express that it's the browser which makes the decision (by its accept header), not us. Something like: "The MIME type of this attachment is [% contenttype %], which your browser does not explicitly specify that it is able to display." r=me.
Attachment #135077 -
Flags: review?(steffen.wilberg) → review+
Assignee | ||
Comment 14•21 years ago
|
||
Fixed review comments. Gerv
Attachment #135077 -
Attachment is obsolete: true
Assignee | ||
Comment 15•21 years ago
|
||
Comment on attachment 135141 [details] [diff] [review] Patch v.2 Requesting r= and a= from justdave. Gerv
Attachment #135141 -
Flags: review?(justdave)
Comment 16•21 years ago
|
||
Gerv, How do we prevent XSS attacks in html or xml coded attachments??
Comment 17•21 years ago
|
||
Joel: that's bug 38862.
Comment 18•21 years ago
|
||
Comment on attachment 135141 [details] [diff] [review] Patch v.2 > Index: attachment.cgi > @@ -423,6 +423,40 @@ > + $contenttype =~ s/^\s+//; > + $contenttype =~ s/\s+$//; Don't we have a trim() function in Bugzilla::Util that does this? > + # We assume we can view all text and image types > + if ($contenttype =~ /^(text|image)\//) { > + return 1; > + } This is probably a bad assumption. For text it might be okay, but there's a lot of types of images that can't be viewed in an iframe on a lot of browsers. Consider image/svg+xml on a non-svg-enabled browser. It'll probably want to download that. Since just about every browser explicitly lists all the image types they can do, we can probably just use the Accept header to look for image types. Do plugins (think QuickTime) add things to the Accept: header? The rest looks good.
Attachment #135141 -
Flags: review?(justdave) → review-
Assignee | ||
Comment 19•21 years ago
|
||
> Since just about every browser explicitly lists all the image types they can do, That's sadly not true. For example, Mozilla doesn't advertise image/bmp. I can see this generalisation could be a problem, but automatically attempting to render image/* is the current behaviour, and doesn't seem to have caused problems so far. > Do plugins (think QuickTime) add things to the Accept: header? I don't think so, no. At least, not in Mozilla. Gerv
Comment 20•21 years ago
|
||
Comment on attachment 135141 [details] [diff] [review] Patch v.2 OK, I'll give on that, since we're not changing it from the existing behavior. The trim() thing is a nit... r= with that fixed
Attachment #135141 -
Flags: review- → review+
Assignee | ||
Updated•21 years ago
|
Flags: approval?
Updated•21 years ago
|
Flags: approval? → approval+
Comment 21•21 years ago
|
||
Comment on attachment 135141 [details] [diff] [review] Patch v.2 >Index: template/en/default/attachment/edit.html.tmpl %]&action=view">Download the attachment instead</a>. >+ Attachment cannot be viewed because its MIME type >+ ([% contenttype FILTER html %]) is not one that your browser is >+ able to display. >+ </b></p> Maybe "... is not viewable in your browser." ?
Assignee | ||
Comment 22•21 years ago
|
||
Fixed. Checking in attachment.cgi; /cvsroot/mozilla/webtools/bugzilla/attachment.cgi,v <-- attachment.cgi new revision: 1.49; previous revision: 1.48 done Checking in template/en/default/attachment/edit.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/attachment/edit.html.tmpl,v <-- edit.html.tmpl new revision: 1.21; previous revision: 1.20 done Gerv
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment 23•21 years ago
|
||
*** Bug 226030 has been marked as a duplicate of this bug. ***
Comment 24•19 years ago
|
||
*** Bug 217449 has been marked as a duplicate of this bug. ***
Updated•12 years ago
|
QA Contact: myk → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•