From ad4f788c398208e2370388b43f4727c17c4f64bd Mon Sep 17 00:00:00 2001
From: Florian Gnaegi - frentix GmbH <gnaegi@frentix.com>
Date: Mon, 24 Feb 2014 13:48:25 +0100
Subject: [PATCH] OO-996 Prevent XSS attack on forum attachment

---
 src/main/java/org/olat/modules/fo/ForumController.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/olat/modules/fo/ForumController.java b/src/main/java/org/olat/modules/fo/ForumController.java
index 6946ae486b0..1d0f2bcdbdc 100644
--- a/src/main/java/org/olat/modules/fo/ForumController.java
+++ b/src/main/java/org/olat/modules/fo/ForumController.java
@@ -653,7 +653,9 @@ public class ForumController extends BasicController implements GenericEventList
 		attachments.addAll((Collection<VFSItem>) messageMap.get("attachments"));
 		VFSItem vI = attachments.get(pos - 1);
 		VFSLeaf vl = (VFSLeaf) vI;
-		ureq.getDispatchResult().setResultingMediaResource(new VFSMediaResource(vl));
+		VFSMediaResource res = new VFSMediaResource(vl);
+		res.setDownloadable(true); // prevent XSS attack
+		ureq.getDispatchResult().setResultingMediaResource(res);
 	}
 
 	private void doDeleteMessage(UserRequest ureq) {
-- 
GitLab