[ https://issues.apache.org/jira/browse/JSPWIKI-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
brushed resolved JSPWIKI-1106. ------------------------------ Resolution: Fixed Fix Version/s: 2.11.0-M4 Solved in 2.11.0-M4-git-10 > Attachment forceDownload property > ---------------------------------- > > Key: JSPWIKI-1106 > URL: https://issues.apache.org/jira/browse/JSPWIKI-1106 > Project: JSPWiki > Issue Type: Improvement > Components: Core & storage > Affects Versions: 2.11.0-M3 > Reporter: brushed > Priority: Minor > Fix For: 2.11.0-M4 > > > > Following sequence of actions, can result in an annoying (although not > harmful) javascript injection as attachment to a JSPWiki site: > > 1) Go to attachments, click Add new attachment, select a html file (that > html file has XSS payload {{<img src=x onerror=alert(1)>}}) and click Upload > > 2) Now when a user clicks that html attachment, the alert got executed > > Copied reply from the jspwiki mailing-list :: > After discussing the issue, we came to the following conclusion that > attachments upload can be controlled through > \{{ jspwiki.attachment.allowed}} and {{jspwiki.attachment.forbidden}} > properties, > although by default JSPWiki allows all types of attachments, which > seems a reasonable default for small-to-medium, mostly-personal wikis that > people seem to be using Apache JSPWiki for. > (...) > We've also agreed to implement a new property, > {{jspwiki.attachment.forceDownload}}, as a feature, to allow the > administrators > to specify which type of attachments should force a download when opening, > or which are allowed to be opened in the browser, in order to have a > friendlier-and-more-secure default configuration. > > > Such "forceDownload" attachment links would be rendered with the additional > "download" attribute. {{<a href="....some-file.html" > download>description</a>}} > > Example of the properties file: > {code} > jspwiki.attachment.forceDownload= .html .htm .mp3 > {code} > > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)