added some comments about new XSS protection to mime.conf

darcs-hash:20070224131623-7ad00-cd82685db94b50be942a6d71293010aa8fdabdfa.gz

conf/mime.conf

@@ -17,14 +17,6 @@ ppt     application/mspowerpoint
 rtf     application/msword
 swf     application/x-shockwave-flash
 
-# You should enable HTML and Text uploads only for restricted Wikis.
-# Spammers are known to upload spam pages through unprotected Wikis.
-#html    text/html
-#htm     text/html
-#txt     text/plain
-#conf    text/plain
-#xml     text/xml
-
 rpm     application/octet-stream
 deb     application/octet-stream
 
@@ -40,3 +32,17 @@ odi     application/vnd.oasis.opendocument.image
 odp     application/vnd.oasis.opendocument.presentation
 ods     application/vnd.oasis.opendocument.spreadsheet
 odt     application/vnd.oasis.opendocument.text
+
+# You should enable HTML and Text uploads only for restricted Wikis.
+# Spammers are known to upload spam pages through unprotected Wikis.
+# Note: Enabling HTML opens Cross Site Scripting vulnerabilities
+#       through JavaScript. Only enable this with trusted users. You
+#       need to disable the iexssprotect option additionally to
+#       adding the mime type here
+#html    text/html
+#htm     text/html
+#txt     text/plain
+#conf    text/plain
+#xml     text/xml
+
+