Prevent Clickjacking by adding additional headers:

                header('X-Frame-Options: Sameorigin');
                header('X-XSS-Protection: 1; mode=block');
                header('X-Content-Type-Options: nosniff');

Thanks to Lukas Reschke for reporting this issue (and many more).

diff --git a/lib/template.php b/lib/template.php
index 57e9c15f5e689a6c79ae0a6ed53f71e38ab6259a..e908c76bfadf0c2ba76af716b5d2bf0f78e3b911 100644 (file)
--- a/lib/template.php
+++ b/lib/template.php
@@ -156,7 +156,10 @@ class OC_Template{
                $this->application = $app;
                $this->vars = array();
                $this->l10n = OC_L10N::get($app);
-
+                header('X-Frame-Options: Sameorigin');
+                header('X-XSS-Protection: 1; mode=block');
+                header('X-Content-Type-Options: nosniff');
+ 
                $this->findTemplate($name);
        }