MantisBT: master 2a1eed9d

Author Committer Branch Timestamp Parent
dhx dhx master 2010-12-26 14:24:10 master 4b0e0d5d
Affected Issues  0011826: Remove all inline JavaScript from MantisBT (use external scripts instead)

Fix 0011826: All inline JavaScript now removed

The MantisBT code base is now free of inline JavaScript code. We can
therefore tighten Content-Security-Policy settings to disallow execution
of any inline JavaScript.

This is a major security milestone for browsers supporting
Content-Security-Policy (currently Firefox 4). In the event of a XSS bug
anywhere within MantisBT, JavaScript code can no longer be executed as
part of an XSS exploit. Firefox 4 users are therefore exposed to much
less risk - so much so that any future MantisBT XSS vulnerabilities will
likely be a non-issue.

mod - core/http_api.php Diff File