<
From version < 10.1 >
edited by Guillaume Delhumeau
on 2013/09/04
To version < 12.1 >
edited by Thomas Mortagne
on 2013/09/05
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.gdelhumeau
1 +XWiki.ThomasMortagne
Content
... ... @@ -40,6 +40,12 @@
40 40  Now, we force the Compatibility mode for Internet Explorer (IE) browsers to use the latest rendering mode.
41 41  Before, the IE browser displayed all intranet sites in compatibility mode by default. This means that even if the user was using IE9, he saw the content rendered with IE7 standards. Since we don't [[support>>dev:Community.BrowserSupportStrategy]] IE6/7 anymore this lead in displaying broken layout, scrollbars, etc. See [[XWIKI-8907>>http://jira.xwiki.org/browse/XWIKI-8907]].
42 42  
43 +== Choosing which types of attachments can be displayed inline (Security) ==
44 +
45 +In order to prevent XSS via FileUpload, a new feature has been added : you can now specify in xwiki.properties which types of attachment can be displayed inline.
46 +In the "Attachment" section of xwiki.properties, you can either precise a whitelist of mimetypes that can be displayed inline, or precise a blacklist of mimetypes that shouldn't be displayed inline (if you use this configuration, it is strongly advised to blacklist at least "text/html" and "text/javascript" mimetypes for security reasons).
47 +Note that attachments provided by PR users won't be affected by these restrictions.
48 +
43 43  == Deprecated and Retired projects ==
44 44  
45 45  <description of deprecated and retired projects>
... ... @@ -49,6 +49,7 @@
49 49  The following dependencies have been upgraded:
50 50  
51 51  * [[HSQLDB 2.3.0>>http://jira.xwiki.org/browse/XE-1323]]
58 +* [[Aether 0.9.0.M3>>http://jira.xwiki.org/browse/XCOMMONS-444]]
52 52  
53 53  == Miscellaneous ==
54 54  

Get Connected