Test uploaded files for HTML tags FS#1077

Following the problem with IE's mimetype handling described at
http://www.splitbrain.org/blog/2007-02/12-internet_explorer_facilitates_cross_site_scripting
this patch adds a new option (on by default) to check the first 256
bytes of uploaded files against a list of a few HTML tags and denies
the upload of such a file. In rare occasions this may block harmless
and valid files, but that's price we have to pay for Microsoft's
stupidity.

Users who need HTML uploads should disable this check. (Don't do that on
open Wikis!)

darcs-hash:20070224124458-7ad00-0ced616d06f563515b36a0a6871b5ba50229c946.gz

1 files changed, 2 insertions, 1 deletions

diff --git a/inc/lang/en/lang.php b/inc/lang/en/lang.php
index aa0aad6e0..23f17c52c 100644
--- a/inc/lang/en/lang.php
+++ b/inc/lang/en/lang.php
@@ -104,7 +104,8 @@ $lang['uploadfail']  = 'Upload failed. Maybe wrong permissions?';
 $lang['uploadwrong'] = 'Upload denied. This file extension is forbidden!';
 $lang['uploadexist'] = 'File already exists. Nothing done.';
 $lang['uploadbadcontent'] = 'The uploaded content did not match the %s file extension.';
-$lang['uploadspam']  = 'The upload was blocked by the spam blacklist';
+$lang['uploadspam']  = 'The upload was blocked by the spam blacklist.';
+$lang['uploadxss']   = 'The upload was blocked for possibly malicious content.';
 $lang['deletesucc']  = 'The file "%s" has been deleted.';
 $lang['deletefail']  = '"%s" couldn\'t be deleted - check permissions.';
 $lang['mediainuse']  = 'The file "%s" hasn\'t been deleted - it is still in use.';