Changes for page Release Notes for XWiki 5.2 Milestone 2
Last modified by Thomas Mortagne on 2017/03/24
Change comment:
styling
Summary
-
Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -129,8 +129,9 @@ 129 129 130 130 == Choosing which types of attachments can be displayed inline (Security) == 131 131 132 -In order to prevent XSS via FileUpload, a new feature has been added : you can now specify in xwiki.properties which types of attachment can be displayed inline. 133 -In the "Attachment" section of xwiki.properties, you can either precise a whitelist of mimetypes that can be displayed inline, or precise a blacklist of mimetypes that shouldn't be displayed inline (if you use this configuration, it is strongly advised to blacklist at least "text/html" and "text/javascript" mimetypes for security reasons). 132 +In order to prevent XSS via FileUpload, a new feature has been added: you can now specify in ##xwiki.properties## which types of attachment can be displayed inline. 133 +In the "Attachment" section of ##xwiki.properties##, you can either precise a whitelist of mimetypes that can be displayed inline, or precise a blacklist of mimetypes that shouldn't be displayed inline (if you use this configuration, it is strongly advised to blacklist at least ##text/html## and ##text/javascript## mimetypes for security reasons). 134 + 134 134 Note that attachments provided by users having Programming Rights won't be affected by these restrictions. 135 135 136 136 == Miscellaneous ==