Bug 1235772: Display all text/* attachments as plain text in the "Details" page

r=gerv

diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index d3d5dae95f2f830929a72b3bb2f7a02660702d14..31dd91c8ca4b46c258561403e1f729fc44492493 100644 (file)
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -190,9 +190,12 @@
                   [% END %]
                 </a>
               </p>
-            [% ELSIF attachment.contenttype == "text/html" %]
+            [% ELSIF attachment.contenttype.match('^text/') %]
               [%# For security reasons (clickjacking, embedded scripts), we never
-                # render HTML pages from here. The source code is displayed instead. %]
+                # render HTML, XML or SVG pages directly. The source code for all
+                # text/* MIME types is displayed instead. If someone tries to abuse
+                # Bugzilla by manually editing the MIME type, it will be caught
+                # by the iframe below, thanks to its 'sandbox' attribute. %]
               [% INCLUDE global/textarea.html.tmpl
                  id      = 'viewFrame'
                  minrows = 10
@@ -201,6 +204,8 @@
                  readonly = 'readonly'
               %]
             [% ELSE %]
+              [%# The 'sandbox' attribute causes all scripts and form submissions
+                # embedded in the attachment to be disabled, for security reasons. %]
               <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]" sandbox>
                 <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
                 <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>