diff MoinMoin/config/multiconfig.py @ 1548:2eb5117aa7de

content-disposition for AttachFile downloads either inline or attachment depending on mimetype in cfg.mimetypes_xss_protect list
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Thu, 14 Sep 2006 18:37:05 +0200
parents 4298764e3cef
children e36313297589
line wrap: on
line diff
--- a/MoinMoin/config/multiconfig.py	Thu Sep 14 15:42:23 2006 +0200
+++ b/MoinMoin/config/multiconfig.py	Thu Sep 14 18:37:05 2006 +0200
@@ -313,6 +313,14 @@
     mail_import_wiki_address = None # the e-mail address for e-mails that should go into the wiki
     mail_import_secret = ""
 
+    # some dangerous mimetypes (we don't use "content-disposition: inline" for them when a user
+    # downloads such attachments, because the browser might execute e.g. Javascript contained
+    # in the HTML and steal your moin cookie or do other nasty stuff) 
+    mimetypes_xss_protect = [
+        'text/html',
+        'application/x-shockwave-flash',
+    ]
+
     navi_bar = [u'RecentChanges', u'FindPage', u'HelpContents', ]
     nonexist_qm = False