It is safe to show image attachments directly, rather than serving them as downloads (like we must do for everything else, for security)
You seem to have CSS turned off.
Please don't fill out this field.
On allura js/4277. To test, attach both an image and a non-image file to an artifact (should work for tickets, wiki pages, discussion posts, etc the same). Clicking the image should display the image full-size, but clicking the non-image will prompt a download.
This isn't secure enough. If I upload an HTML attachment and then (directly in mongo) update the content type to text/html/image/ then the attachment will be displayed inline, and Firefox does show it as regular HTML. This is possible since we currently trust user-provided content types.
Actually that is not the problem (although I think it's still safer to do a startswith check). The problem is that self.content_type is used to to the check, but serve() in filesystem.py uses the GridFS fp content_type. We need to check the same value. Offhand, I'm not sure which is best.