From 2c917037160dd08bd7c3c052d3e566b20bb3562c Mon Sep 17 00:00:00 2001
From: "bzrmirror%bugzilla.org"
 <bzrmirror%bugzilla.org@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Wed, 12 Mar 2014 19:00:52 +0000
Subject: [PATCH] Bug 728892: The attachment "Details" page is still vulnerable
 to Clickjacking with SVG or XHTML attachments r/a=justdave

git-svn-id: svn://10.0.0.236/trunk@265284 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/webtools/bugzilla/.bzrrev                               | 2 +-
 mozilla/webtools/bugzilla/.gitrev                               | 2 +-
 .../bugzilla/template/en/default/attachment/edit.html.tmpl      | 2 +-
 .../template/en/default/attachment/show-multiple.html.tmpl      | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/mozilla/webtools/bugzilla/.bzrrev b/mozilla/webtools/bugzilla/.bzrrev
index c3f577e6f12..d0a14334bf4 100644
--- a/mozilla/webtools/bugzilla/.bzrrev
+++ b/mozilla/webtools/bugzilla/.bzrrev
@@ -1 +1 @@
-8957
\ No newline at end of file
+8958
\ No newline at end of file
diff --git a/mozilla/webtools/bugzilla/.gitrev b/mozilla/webtools/bugzilla/.gitrev
index cf9e6012f6e..2b664b22219 100644
--- a/mozilla/webtools/bugzilla/.gitrev
+++ b/mozilla/webtools/bugzilla/.gitrev
@@ -1 +1 @@
-d51abfd7e3e1fcc3eea37e72ab0f49f3e28950a2
\ No newline at end of file
+ca7b39aa66be9b4deea1ead8e6a788025759b80d
\ No newline at end of file
diff --git a/mozilla/webtools/bugzilla/template/en/default/attachment/edit.html.tmpl b/mozilla/webtools/bugzilla/template/en/default/attachment/edit.html.tmpl
index dbcef2a7195..1ab30853cdd 100644
--- a/mozilla/webtools/bugzilla/template/en/default/attachment/edit.html.tmpl
+++ b/mozilla/webtools/bugzilla/template/en/default/attachment/edit.html.tmpl
@@ -197,7 +197,7 @@
                  readonly = 'readonly'
               %]
             [% ELSE %]
-              <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]">
+              <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]" sandbox>
                 <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
                 <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
               </iframe>
diff --git a/mozilla/webtools/bugzilla/template/en/default/attachment/show-multiple.html.tmpl b/mozilla/webtools/bugzilla/template/en/default/attachment/show-multiple.html.tmpl
index a7c266b3c94..e2c95cb80e7 100644
--- a/mozilla/webtools/bugzilla/template/en/default/attachment/show-multiple.html.tmpl
+++ b/mozilla/webtools/bugzilla/template/en/default/attachment/show-multiple.html.tmpl
@@ -78,7 +78,7 @@
          classes = 'viewall_frame'
       %]
     [% ELSE %]
-      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
+      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame" sandbox>
         <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
         <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
       </iframe>