The problem is that with this patch we a) decrease the user experience — e.g. PDFs can not be viewed in the browser anymore, they have to be downloaded (and the downloaded PDF might be viewed in the browser, but not the online version)
A client reported the same issue yesterday. The portal is a Plone 4.3 site. Some PDF files using @
@display-view will cause a download. Others display on the browser. What I have noticed is that files that resulted in a download had the extra header:
content-disposition: attachment; filename="some.pdf"
PDF seems safe to add there yes. A patch in your own code could work, something like this (untested):
from Products.PloneHotfix20210518 import namedfile
The above resolved the issue and PDF files now display inline instead of being downloaded.
Same here, I had a customer complaining about PDF downloads. The above lines are fixing it.
Technically, PDFs could be vulnerable too. See
But that was a bug when Adobe Acrobat Reader was used to view the PDF in the browser, and this program has meanwhile been patched. I don't see when this was though.
I do wonder about changing the hotfix to optionally use a short blacklist instead of the current whitelist, triggered by an OS environment variable. Would that help?
Blacklist would be:
hope we have them all then... I have these from http://localhost:8080/Plone/mimetypes_registry/manage_main
You are right. I didn't realise that the hotfix would make the inline diff and code diff that much alike. Well, there are still differences, but with the hotfix the inline diff shows html code, so it has gotten uglier.
Here is the
PR for merging the hotfix into
Products.CMFDiffTool. After this is merged, someone could try to improve it.
I have a PR to improve this and use the safe html transform for the inline diff of rich text fields:
11:06PM - 04 Jun 21 UTC
The changes from PloneHotfix20210518 1.0 were taken over in PR #39.
But this ma
I may add that to a new version of the hotfix as well.