There is no XSS as you can have all attachments served from an alterate host. If you didn't enable this feature, then you should. It's well known that attachments aren't filtered in any way, and that the user takes the risk to execute JS. Marking the bug as invalid as the problem described in the bug summary and comment 0 are not bugs, but so by design (and is a public behavior, not something we try to hide).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.