https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42080
David Cook <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #195226|0 |1 is obsolete| | --- Comment #6 from David Cook <[email protected]> --- Created attachment 195245 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195245&action=edit Bug 42080: Invoice PDFs are forced downloads Serve invoice files with a CSP header that prevents XSS instead of with an attachment header that turns them into downloads. Testing plan: - Set AcqEnableFiles preference to Do - Acquisitions > Vendor > Receive Shipment > Create invoice - Finish Receiving > Manage invoice files - Upload an SVG with a <script> tag in it - Click the SVG filename to open it - Inspect browser's console: it should say something about a script being blocked due to the CSP directive Signed-off-by: David Cook <[email protected]> -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
