NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.
There are various content-types which are unsafe to send as Content-Disposition: inline as they could be used to perform XSS attacks.
The known 'bad' content-types which confluence currently sends 'inline' include: 'application/x-shockwave-flash'(swf files) and 'image/svg+xml'(svg files).
- is duplicated by
-
CONFCLOUD-54383 File Attachment persistent XSS
-
- Closed
-
- relates to
-
-
- Closed
-