Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix #11826: All inline JavaScript now removed
The MantisBT code base is now free of inline JavaScript code. We can therefore tighten Content-Security-Policy settings to disallow execution of any inline JavaScript. This is a major security milestone for browsers supporting Content-Security-Policy (currently Firefox 4). In the event of a XSS bug anywhere within MantisBT, JavaScript code can no longer be executed as part of an XSS exploit. Firefox 4 users are therefore exposed to much less risk - so much so that any future MantisBT XSS vulnerabilities will likely be a non-issue.
- Loading branch information