• Hugh Davenport's avatar
    Escape user uploaded XHTML files · 4068b7a8
    Hugh Davenport authored
    Bug #1055232
    CVE-2012-2243
    
    Before this patch, if a user uploaded HTML or XML files
    then tried to download them, or linked other users to download
    them, they would be presented with an escaped version along
    with a link to download the original.
    
    This did not include XHTML files, which can cause the same
    security issues as HTML or XML files. This patch includes the
    XHTML mimetype of application/xhtml+xml in the test of which
    files to escape.
    
    Change-Id: Iffb8308fdb56a173fd4af2bbda800999dd11fea3
    Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
    4068b7a8
file.php 31.3 KB