Merge remote-tracking branch 'origin/support/2.7' into develop

# Conflicts: # application/itopwebpage.class.inc.php # core/config.class.inc.php # setup/setuputils.class.inc.php
2026-04-24 11:08:45 +02:00 · 2021-08-18 18:55:56 +02:00
parent 909af7f59c 1c983e8093
commit 1613c1bbdc
4 changed files with 26 additions and 12 deletions
--- a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
@@ -1097,6 +1097,11 @@ class ObjectController extends BrickController
 		$aHeaders['Content-Type'] = $oDocument->GetMimeType();
 		$aHeaders['Content-Disposition'] = (($sOperation === 'display') ? 'inline' : 'attachment').';filename="'.$oDocument->GetFileName().'"';

+		// N°4129 - Prevent XSS attacks & other script executions
+		if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
+			$aHeaders['Content-Security-Policy'] = 'sandbox';
+		}
+
 		return new Response($oDocument->GetData(), Response::HTTP_OK, $aHeaders);
 	}