Prevent cross-site scripting (XSS)

By using the upload document function, an attacker could potentially upload an HTML page to CollabNet TeamForge that contains active code, such as JavaScript. This active code would then be executed by clients' browsers when they view the page.

To prevent an attack of this sort, you can specify whether or not HTML code is displayed in CollabNet TeamForge. This flag applies to all documents, tracker, task, and forum attachments, and files in the file release system.

In the <SOURCEFORGE_SITE_DIR>/sourceforge_home/etc/sourceforge_configuration.properties file, set the sf.safeDownloadMode flag to one of the following values.

none: All file types that can be displayed inline are displayed inline, including HTML and text.
Note: This is the CollabNet TeamForge default.
html: HTML files are not displayed inline. All other file types that can be displayed inline are displayed inline, such as text. When a user tries to launch an HTML file, he or she is prompted to download and save the file locally.
all: No file types are displayed inline. When a user tries to launch any file, he or she is prompted to download and save the file locally.