Mercurial > p > roundup > code
diff CHANGES.txt @ 4903:48d93e98be7b
Security non-standard html content as html
Attached html files are not shipped as text/html by default, unless
``allow_html_file`` is specified in the configuration. Unfortunately
some browsers want to be helpful and render other non-standard content
types as html. We now change this to application/octet-stream whenever
'html' is contained in the string (case insensitive). Thanks to Kay
Hayen for reporting and helping debug this.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 04 Jul 2014 15:43:22 +0200 |
| parents | a403c29ffaf9 |
| children | 3b632a25b1b3 |
line wrap: on
line diff
--- a/CHANGES.txt Fri Jul 04 15:32:28 2014 +0200 +++ b/CHANGES.txt Fri Jul 04 15:43:22 2014 +0200 @@ -114,6 +114,13 @@ include the email addresses, depending on your installation you may want to further restrict this or add some attributes like ``address`` and ``alternate_addresses``. (Ralf Schlatterbeck) +- Security: Attached html files are not shipped as text/html by default, + unless ``allow_html_file`` is specified in the configuration. + Unfortunately some browsers want to be helpful and render other + non-standard content types as html. We now change this to + application/octet-stream whenever 'html' is contained in the string + (case insensitive). Thanks to Kay Hayen for reporting and helping + debug this. (Ralf Schlatterbeck) Minor: - demo.py usage message improved: explains "nuke" now. (Bernhard Reiter)