diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2007-02-24 13:44:58 +0100 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2007-02-24 13:44:58 +0100 |
| commit | 26ceae189b2d0a31062ca1f26577545b78250281 (patch) | |
| tree | bfab809313d3f19b569f19047c8ad0b71e733f69 /conf/dokuwiki.php | |
| parent | 6d88439ada7c841b10a8de3da846f7cc1cf5842a (diff) | |
| download | rpg-26ceae189b2d0a31062ca1f26577545b78250281.tar.gz rpg-26ceae189b2d0a31062ca1f26577545b78250281.tar.bz2 | |
Test uploaded files for HTML tags FS#1077
Following the problem with IE's mimetype handling described at
http://www.splitbrain.org/blog/2007-02/12-internet_explorer_facilitates_cross_site_scripting
this patch adds a new option (on by default) to check the first 256
bytes of uploaded files against a list of a few HTML tags and denies
the upload of such a file. In rare occasions this may block harmless
and valid files, but that's price we have to pay for Microsoft's
stupidity.
Users who need HTML uploads should disable this check. (Don't do that on
open Wikis!)
darcs-hash:20070224124458-7ad00-0ced616d06f563515b36a0a6871b5ba50229c946.gz
Diffstat (limited to 'conf/dokuwiki.php')
| -rw-r--r-- | conf/dokuwiki.php | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/conf/dokuwiki.php b/conf/dokuwiki.php index 66a2171b3..d442f0e93 100644 --- a/conf/dokuwiki.php +++ b/conf/dokuwiki.php @@ -54,6 +54,7 @@ $conf['mailguard'] = 'hex'; //obfuscate email addresses against sp // 'visible' - replace @ with [at], . with [dot] and - with [dash] // 'hex' - use hex entities to encode the mail address // 'none' - do not obfuscate addresses +$conf['iexssprotect']= 1; // check for JavaScript and HTML in uploaded files 0|1 /* Authentication Options - read http://www.splitbrain.org/dokuwiki/wiki:acl */ |