By using the upload document function, an attacker could potentially upload an HTML
page to CollabNet
TeamForge that contains active code, such
as JavaScript. This active code would then be executed by clients' browsers when they view
the page.
To prevent an attack of this sort, you can specify whether or not HTML code is
displayed in CollabNet
TeamForge. This flag applies to all
documents, tracker, task, and forum attachments, and files in the file release system.
In the
<SOURCEFORGE_SITE_DIR>/sourceforge_home/etc/sourceforge_configuration.properties
file, set the sf.safeDownloadMode flag to one of the following
values.