[rt-users] Malicious MIME type handling
Jesse Vincent
jesse at bestpractical.com
Tue Jan 26 07:54:05 EST 2010
On Tue, Jan 19, 2010 at 01:15:59PM +0000, Dominic Hargreaves wrote:
> I've noticed that there is some logic to override the mime type of
> HTML attachments ($TrustHTMLAttachments config) to avoid javascript
> XSS attacks in RT.
Sorry, I've been on Jury Duty since this came in and there was a small
internal miscommunication about who was going to get a reply out to you.
You're on the money. When this code path was put together, there were
far fewer MIME types that we needed to worry about. We actually got a
report about this just a couple weeks ago and should have an improvement
out in the next version of RT 3.8.
-Jesse
More information about the rt-users
mailing list