From 7aa3b10418d35b1d94565ef3f1b596ff34dd92c2 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 24 Feb 2007 14:16:23 +0100
Subject: added some comments about new XSS protection to mime.conf

darcs-hash:20070224131623-7ad00-cd82685db94b50be942a6d71293010aa8fdabdfa.gz
---
 conf/mime.conf | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/conf/mime.conf b/conf/mime.conf
index 058590a32..8b4142b79 100644
--- a/conf/mime.conf
+++ b/conf/mime.conf
@@ -17,14 +17,6 @@ ppt     application/mspowerpoint
 rtf     application/msword
 swf     application/x-shockwave-flash
 
-# You should enable HTML and Text uploads only for restricted Wikis.
-# Spammers are known to upload spam pages through unprotected Wikis.
-#html    text/html
-#htm     text/html
-#txt     text/plain
-#conf    text/plain
-#xml     text/xml
-
 rpm     application/octet-stream
 deb     application/octet-stream
 
@@ -40,3 +32,17 @@ odi     application/vnd.oasis.opendocument.image
 odp     application/vnd.oasis.opendocument.presentation
 ods     application/vnd.oasis.opendocument.spreadsheet
 odt     application/vnd.oasis.opendocument.text
+
+# You should enable HTML and Text uploads only for restricted Wikis.
+# Spammers are known to upload spam pages through unprotected Wikis.
+# Note: Enabling HTML opens Cross Site Scripting vulnerabilities
+#       through JavaScript. Only enable this with trusted users. You
+#       need to disable the iexssprotect option additionally to
+#       adding the mime type here
+#html    text/html
+#htm     text/html
+#txt     text/plain
+#conf    text/plain
+#xml     text/xml
+
+
-- 
cgit v1.2.3