<
From version < 61.2 >
edited by Vincent Massol
on 2013/11/09
To version < 61.3 >
edited by Vincent Massol
on 2014/05/05
>
Change comment: styling

Summary

Details

Page properties
Content
... ... @@ -129,8 +129,9 @@
129 129  
130 130  == Choosing which types of attachments can be displayed inline (Security) ==
131 131  
132 -In order to prevent XSS via FileUpload, a new feature has been added : you can now specify in xwiki.properties which types of attachment can be displayed inline.
133 -In the "Attachment" section of xwiki.properties, you can either precise a whitelist of mimetypes that can be displayed inline, or precise a blacklist of mimetypes that shouldn't be displayed inline (if you use this configuration, it is strongly advised to blacklist at least "text/html" and "text/javascript" mimetypes for security reasons).
132 +In order to prevent XSS via FileUpload, a new feature has been added: you can now specify in ##xwiki.properties## which types of attachment can be displayed inline.
133 +In the "Attachment" section of ##xwiki.properties##, you can either precise a whitelist of mimetypes that can be displayed inline, or precise a blacklist of mimetypes that shouldn't be displayed inline (if you use this configuration, it is strongly advised to blacklist at least ##text/html## and ##text/javascript## mimetypes for security reasons).
134 +
134 134  Note that attachments provided by users having Programming Rights won't be affected by these restrictions.
135 135  
136 136  == Miscellaneous ==

Get Connected