From 26ceae189b2d0a31062ca1f26577545b78250281 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 24 Feb 2007 13:44:58 +0100 Subject: Test uploaded files for HTML tags FS#1077 Following the problem with IE's mimetype handling described at http://www.splitbrain.org/blog/2007-02/12-internet_explorer_facilitates_cross_site_scripting this patch adds a new option (on by default) to check the first 256 bytes of uploaded files against a list of a few HTML tags and denies the upload of such a file. In rare occasions this may block harmless and valid files, but that's price we have to pay for Microsoft's stupidity. Users who need HTML uploads should disable this check. (Don't do that on open Wikis!) darcs-hash:20070224124458-7ad00-0ced616d06f563515b36a0a6871b5ba50229c946.gz --- lib/plugins/config/lang/en/lang.php | 1 + lib/plugins/config/settings/config.metadata.php | 1 + 2 files changed, 2 insertions(+) (limited to 'lib/plugins') diff --git a/lib/plugins/config/lang/en/lang.php b/lib/plugins/config/lang/en/lang.php index 9f3df88bb..825f5cf85 100644 --- a/lib/plugins/config/lang/en/lang.php +++ b/lib/plugins/config/lang/en/lang.php @@ -80,6 +80,7 @@ $lang['usewordblock']= 'Block spam based on wordlist'; $lang['indexdelay'] = 'Time delay before indexing (sec)'; $lang['relnofollow'] = 'Use rel="nofollow" on external links'; $lang['mailguard'] = 'Obfuscate email addresses'; +$lang['iexssprotect']= 'Check uploaded files for possibly malicious JavaScript or HTML code'; /* Authentication Options */ $lang['useacl'] = 'Use access control lists'; diff --git a/lib/plugins/config/settings/config.metadata.php b/lib/plugins/config/settings/config.metadata.php index d1456b3e9..ee8db882f 100644 --- a/lib/plugins/config/settings/config.metadata.php +++ b/lib/plugins/config/settings/config.metadata.php @@ -122,6 +122,7 @@ $meta['usewordblock']= array('onoff'); $meta['relnofollow'] = array('onoff'); $meta['indexdelay'] = array('numeric'); $meta['mailguard'] = array('multichoice','_choices' => array('visible','hex','none')); +$meta['iexssprotect']= array('onoff'); $meta['_editing'] = array('fieldset'); $meta['usedraft'] = array('onoff'); -- cgit v1.2.3