From 26ceae189b2d0a31062ca1f26577545b78250281 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 24 Feb 2007 13:44:58 +0100
Subject: Test uploaded files for HTML tags FS#1077

Following the problem with IE's mimetype handling described at
http://www.splitbrain.org/blog/2007-02/12-internet_explorer_facilitates_cross_site_scripting
this patch adds a new option (on by default) to check the first 256
bytes of uploaded files against a list of a few HTML tags and denies
the upload of such a file. In rare occasions this may block harmless
and valid files, but that's price we have to pay for Microsoft's
stupidity.

Users who need HTML uploads should disable this check. (Don't do that on
open Wikis!)

darcs-hash:20070224124458-7ad00-0ced616d06f563515b36a0a6871b5ba50229c946.gz
---
 conf/dokuwiki.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'conf/dokuwiki.php')

diff --git a/conf/dokuwiki.php b/conf/dokuwiki.php
index 66a2171b3..d442f0e93 100644
--- a/conf/dokuwiki.php
+++ b/conf/dokuwiki.php
@@ -54,6 +54,7 @@ $conf['mailguard']   = 'hex';             //obfuscate email addresses against sp
                                           //  'visible' - replace @ with [at], . with [dot] and - with [dash]
                                           //  'hex'     - use hex entities to encode the mail address
                                           //  'none'    - do not obfuscate addresses
+$conf['iexssprotect']= 1;                 // check for JavaScript and HTML in uploaded files 0|1
 
 /* Authentication Options - read http://www.splitbrain.org/dokuwiki/wiki:acl */
 
-- 
cgit v1.2.3