| commit | 66b23ce9f134c838f393fa452c450f8b6fc147c3 | |
| author | Andreas Gohr <andi@splitbrain.org> | |
| Tue, 29 Sep 2009 18:28:32 +0000 (29 20:28 +0200) | ||
| committer | Andreas Gohr <andi@splitbrain.org> | |
| Tue, 29 Sep 2009 18:28:32 +0000 (29 20:28 +0200) | ||
| tree | 5445b8bc8a943e98e58c44f7f7fe86c78bf1a239 | treesnapshot (tar.gz zip) |
| parent | 0d5f4833689967dde7f9fc2cbd1b6ada533bbb73 | commitdiff |
Send export_raw as attachement to avoid IE's content sniffing [security]
Ignore-this: 9b6ef0179df729d4bc41c2d746965134
With MSIE's content-sniffing [1], the export_raw mode could be used for XSS
attacks against MSIE users. Sending the export as a download circumvents that.
[1] http://www.splitbrain.org/blog/2007-02/12-internet_explorer_facilitates_cross_site_scripting
darcs-hash:20090929182832-7ad00-085deb3fa8cc939b55cd293a8f4780b4b170d2e6.gz
Ignore-this: 9b6ef0179df729d4bc41c2d746965134
With MSIE's content-sniffing [1], the export_raw mode could be used for XSS
attacks against MSIE users. Sending the export as a download circumvents that.
[1] http://www.splitbrain.org/blog/2007-02/12-internet_explorer_facilitates_cross_site_scripting
darcs-hash:20090929182832-7ad00-085deb3fa8cc939b55cd293a8f4780b4b170d2e6.gz
| inc/actions.php | diffblobblamehistory |