Various persistent-xss vulnerabilities in attachment downloads

XMLWordPrintable

    • 6.5

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      There are various content-types which are unsafe to send as Content-Disposition: inline as they could be used to perform XSS attacks.
      The known 'bad' content-types which confluence currently sends 'inline' include: 'application/x-shockwave-flash'(swf files) and 'image/svg+xml'(svg files).

            Assignee:
            Unassigned
            Reporter:
            David Black
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: