Text attachments should display in the browser, not forced downloaded

[cracauer@]

Text attachments should display in the browser, not forced downloaded.

Consider the first post here: https://forums.freebsd.org/threads/audinst-hud-mx1usb-dac-sound-volume-very-low.102321/

I want to see dmesg. As it is right now I have to download it, open it from HD and then clean up afterwards. It should just display the text in a browser tab. This is done via http header.

I know that XenForo does this by default and last I heard there was no option to turn this nonsense off. But maybe there us a way, or an update or something.

 

[drsnx60]

using firefox to navigate to

file:///var/run/dmesg.boot

And opening it works for me and displays text in the firefox window.

 

[mer]

using firefox to navigate to

file:///var/run/dmesg.boot

And opening it works for me and displays text in the firefox window.

That works for files on the local system, but I believe cracauer@ is talking about text files that someone attaches to a post on the forum. The thread linked in the OP has 3 attachments, all text files. If you want to look at the contents, clicking on one causes a download, not just open in a new tab.

 

[drsnx60]

OK. I can configure the DOWNLOAD setting in firefox to "Always ask you where to save files"
this pops up a dialouge where I can view the file in an editor or I can select a browser to view the file in .

 

[fjdlr]

I have two scripts; one monitors the download of text files.
The other opens hx or vim to view the file.
Install pkg install entr
You can change the editor.
Sorry, the comments are in French.
15:32 %> cat watch-txt.sh

#!/bin/sh

DL="$HOME/Telechargement"
CACHE="/tmp/hx_last_opened_txt"

[ -d "$DL" ] || exit 1

# surveille le dossier lui-même
while true; do
printf '%s\n' "$DL" | entr -d sh -c '
DL="'"$DL"'"
CACHE="'"$CACHE"'"

FILE=$(find "$DL" -maxdepth 1 -type f -name "*.txt" -print 2>/dev/null \
| xargs ls -t 2>/dev/null | head -n 1)

[ -n "$FILE" ] || exit 0

MTIME=$(stat -f "%m" "$FILE" 2>/dev/null) || exit 0
NOW=$(date +%s)
AGE=$((NOW - MTIME))

# ignorer les vieux fichiers
[ "$AGE" -gt 5 ] && exit 0

LAST=""
[ -f "$CACHE" ] && LAST=$(cat "$CACHE" 2>/dev/null)

# éviter de rouvrir le même fichier
[ "$FILE" = "$LAST" ] && exit 0

echo "$FILE" > "$CACHE"

# laisser finir le renommage / flush Firefox
sleep 1

exec xfce4-terminal --hold -e "hx \"$FILE\""
'
done

and
15:33 %> cat open-last-txt.sh

#!/bin/sh

DL="$HOME/Telechargement"

# dlast file downloaded
FILE=$(ls -t "$DL"/*.txt 2>/dev/null | head -n 1)

[ -z "$FILE" ] && exit 0

# open helix
exec hx "$FILE"

my editor is hx

 

[kent_dorfman766]

The web server should be identifying the content as text/plain so that the browser can display it. Instead they are either not assigning any mime type or a wrong one, so the browser falls back to binary download of content.

 

[cracauer@]

The web server should be identifying the content as text/plain so that the browser can display it. Instead they are either not assigning any mime type or a wrong one, so the browser falls back to binary download of content.

No, that's not true. The web server sends the right mime type, but also another header forcing the download.

 

[blackbird9]

Using waterfox on windowmaker, it asks me to save the file, as the only option presented. However using waterfox on kde plasma, it gives me an option to either save the file or open it with an editor (kate), if I chose editor it opens the file in a separate window in the editor, and does not save it to the local drive (unless it's creating a temporary somewhere that it deletes automatically afterwards). So it appears that the desktop environment being used modifies the dialog that is presented when clicking on the link.

 

[cracauer@]

Using waterfox on windowmaker, it asks me to save the file, as the only option presented. However using waterfox on kde plasma, it gives me an option to either save the file or open it with an editor (kate), if I chose editor it opens the file in a separate window in the editor, and does not save it to the local drive (unless it's creating a temporary somewhere that it deletes automatically afterwards). So it appears that the desktop environment being used modifies the diaglog that is presented when clicking on the link.

If it's in the editor it is on a filesystem. You can find out where by trying to save the buffer after a modification.

 

[Kai Burghardt]

No, that's not true. The web server sends the right mime type, but also another header forcing the download.

I can not confirm that.​

curl -so dmesg.txt --dump-header - https://forums.freebsd.org/attachments/dmesg-txt.25923/

shows​

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Apr 2026 13:45:55 GMT
Content-Type: application/octet-stream
Content-Length: 2706
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Last-Modified: Mon, 13 Apr 2026 13:45:55 GMT
Content-Disposition: attachment; filename="dmesg.txt"
ETag: "1775934141"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN

RFC 2616 explains that if a Content‑Disposition

[…] is used in a response with the application/octet-stream content-type, the implied suggestion is that the user agent should not display the response, but directly enter a ‘save response as …’ dialog.

Therefore to fix the problem is to properly detect and send text/plain as the Content‑Type. I just verified that file --mime dmesg.txt can do it. There are apparently no strange characters confusing recognition algorithms.​

 

[cracauer@]

Hmmm, I thought I had observed that in Chrome's webdev. Must have been some other site where the same problem appears. Maybe bugs.freebsd.org? Apologies.

Your analysis and proposed solution is sound then.

 

[Mjölnir]

OK. I can configure the DOWNLOAD setting in firefox to "Always ask you where to save files"
this pops up a dialouge where I can view the file in an editor or I can select a browser to view the file in .

That's several mouseclicks. The OP wants it to be just ONE.
[EDIT] In KDE (konqueror) it's right mouse button -> preview in... -> embedded enhanced text editor

 

[danger@]

I can not confirm that.​

curl -so dmesg.txt --dump-header - https://forums.freebsd.org/attachments/dmesg-txt.25923/

shows​

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Apr 2026 13:45:55 GMT
Content-Type: application/octet-stream
Content-Length: 2706
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Last-Modified: Mon, 13 Apr 2026 13:45:55 GMT
Content-Disposition: attachment; filename="dmesg.txt"
ETag: "1775934141"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN

RFC 2616 explains that if a Content‑Disposition
Therefore to fix the problem is to properly detect and send text/plain as the Content‑Type. I just verified that file --mime dmesg.txt can do it. There are apparently no strange characters confusing recognition algorithms.​

this investigation is correct, however attachments are being handled by XenForo and it is XenForo which sets the Mime-type (Content-Type header); unfortunately it sets incorrect mime type (application/octet-stream instead of text/plain) in this case. It only handles image attachments correctly, all other attachments are sent as application/octet-stream. This is something that would require a fix upstream or an addon (which we do not prefer).

 

[cracauer@]

I know XenForo doesn't support it. I'd say hack up the PHP code. Just send content type text instad of octeats. Easy peasy.

 

[Maxnix]

As a workaround for Firefox there is this extension (don't know for Chromium): https://addons.mozilla.org/en-US/firefox/addon/open-in-browser/.

 

[AlfredoLlaquet]

I don't agree. I think they should be automatically zipped and sent to your most current email address unless you live in California. If you live in California, they should be printed and manually faxed to you.

Also, I think there should be a PinkFreeBSD theme. Why is there a BlueFreeBSD theme, but not a PinkFreeBSD theme?

Why?!?!

Why?!?!

 

[cracauer@]

I'm sure there is such an extension for Chrome, too, but it is hard to Google for it.

 

[DutchDaemon]

I know XenForo doesn't support it. I'd say hack up the PHP code. Just send content type text instad of octeats. Easy peasy.

To say XenForo has made this non-trivial (not to say extremely convoluted) is an understatement. That is the reason why the existing add-on for XF1 was never ported over to XF2, and why XF developers keep holding off on offering the option. Don't expect a Q & D solution from volunteer staff here. Sorry.

 

[eternal_noob]

That’s a basic web feature, and since XenForo costs a fortune, I’d flood their forums with complaints until they fix the problem.

 

[johnjohn]

Kai Burghardt is correct. Forcing a download is as simple as forgetting a content type header.

I'm a self-taught PHP coder and i've followed this thread. I agree that forced downloads of a plain text file is quite annoying. I'd also like to open a text file in a new window/tab. I do not have the source code to this forum, so it is a dificult shot to make. However, i have formulated a theory based upon examination of how the site is working from the client side perspective. I have seen the source code to phpbb, smf and two commercial packages (helping friends with code). Most of these forums are garbage PHP.

Not to get off track but may i vent for a moment? please? i've been banned from a few PHP forums in my early study days for the following reason: i got tired of being bullied and insulted and i stood up for myself and laid bare the truth: the bullies always refer to the weaving in-and-out of html and php as "spaghetti code". These php bullies will lecture newbies and slam down the mvc law and demand that PHP coders use symfony or laravel and class files for everything. Yet, if you examine their code closely, then you will see spaghetti code made from classes that is more spaghetti than an Italian guy with sauce in his mustache. id est, function that calls a function that calls a function that uses a built-in function to output text to the screen. You know, instead of using the caveman method of simply typing echo.

you will most likely know what i mean if you are an admin/moderator of this forum code and you have tried to track down attachment code. see what i mean? garbage PHP.

The actual attachment code is most likely broken up into several files in several places but i bet that you have an app file somewhere in the XF folder. My guess is to look for a folder named XF containing a file named App.php So probably forum_directory/src/XF/App.php

scroll though the App.php file looking for an array like the following that i found via online search:

$container['inlineImageTypes'] = function (Container $c) {
  return [
      'gif' => 'image/gif',
      'jpg' => 'image/jpeg'
];

the associative array appears to hold header content-type data. You could add the following key/value pair to see if it changes from forced download to display (do not forget to use a comma after the last key/value pair so that the text handler can be added as the last key/value pair):

'txt' => 'text/plain'
];

it is probably how the display is working anyway. Despite the fact that none of the key/value pairs are really being validated. Also, this 'patch' should work but then imaging a code-injection vulnerability... good lord!

 

[eternal_noob]

The soure code of XenForo is most likely encoded with ionCube or similar. It's not free.

 

[AlfredoLlaquet]

I suspect that not opening attachments in the browser is a security measure. The OS is much less likely to do crazy things just by storing a file, and the stored file enters the domain of your OS's security, which tends to be more reliable than that of your browser (or, at least, it falls outside XenForo's responsibility).

 

[blackbird9]

That might actually be closer to the truth. Even on kde, it opens it in an editor, not a browser window, so if something goes wrong, it's the editor to blame. So perhaps it's by design.
Although... firefox also opens pdf's in it's own window, and pdfs are well known for hosting exploits. So who knows.

It's hard to know what the best thing to do is when adding things like debug trace to a post. If you paste it inline, it can be huge. If you attach it, people may be forced to download it. I don't know what the answer is.

 

[johnjohn]

The soure code of XenForo is most likely encoded with ionCube or similar. It's not free.

I know that psywar people discourage old lingo but i just have to type one: LOL

some of the PHP devs are idiots. My message to such devs: if you wish to use a compiled language, then learn C/C++

i've seen these PHP encryption schemes before and every one of them are eventually decrypted. Besides, these commercial forums look ALOT like phpbb under the hood. winky-wink-wink

so back to the issue: well, the db is accessible to an admin, is it not? then one could intercept the route to index.php and handle it when it is a text file. One would have to get the db info, then send a few headers and the file should be visible. Such a method is definitely a hacking patch that may not go-over well with Foundation members but it will work. I'm certain that the request can be intercepted (man-in-the-middle, or perhaps woman-in-the-middle). One would have to use an intercepting index.php to catch the attachment request and handle it or load the indexold.php file to run the forum as usual. I've spent several hours tinkering with a test forum and it works for me using apache24, php 8 and mariadb. I imagine the db is simply named xenforo. Use the cli to query the db looking for xf_attachment(-s) tables, then find the table that holds the file name, file size and file hash data.

<?php
//database connection information, which can be encrypted/decrypted or store it above the root and require_once the file
$dbhost = '127.0.0.1'; //one should know this info and enter the correct host
$dbname = 'xenforo'; //db name should be xenforo but look it up
$dbuser = 'root'; //store the user name for the db. my example using mariadb default root with no pass
$dbpass = '';
$dbatt = array(
    PDO::ATTR_EMULATE_PREPARES => false,
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
  );

if (!empty($SERVER['QUERY_STRING']) && is_string($SERVER['QUERY_STRING'])) {
 
  if (preg_match("/^attachments+\/[A-Za-z0-9\-]+txt.+[0-9]+\/+$/", mb_strtolower($_SERVER['QUERY_STRING'])) === 1) {
 
      $queryString = (array) explode('/', $_SERVER['QUERY_STRING']);
      $queryString = (array) explode('.', $queryString[1]);
      $filenumber = $queryString[1]; //we need the number from the end of the file as data_id
      $queryString = (array) explode('-txt', $queryString[0]);
      $file = $queryString[0] . '.txt';

      //one needs to find the actual directory where attachment hashes are stored and replace the string below with this path
      $filepath = 'data_path/attachments/possibly_another_dir/';

      //replace xf_attachment_table with the table that holds the correct attachment info
      $dbconn = new PDO("mysql:host=$dbhost; dbname=$dbname; charset=utf8mb4", $dbuser, $dbpass, $dbatt);
      $dbquery = 'SELECT file_size, file_hash FROM xf_attachment_table WHERE data_id = :did';
      $dpbsd = $dbconn->prepare($dbquery);
      $dpbsd->execute(array(':did' => $filenumber));
      $field = $dpbsd->fetch();

      $dbfilesize = $field['file_size']; //probably named file_size and file_hash respectively
      $dbhash = $field['file_hash'];
      $datafile = $filenumber . '-' . $dbhash . '.data';
      $actualfile = $filepath . $datafile;

      $encodedfilename = rawurlencode($file);
      header('Content-Type: text/plain; charset=UTF-8');
      header('Content-Length: ' . $dbfilesize);
      header("Content-Disposition: inline; filename*=UTF-8''" . $encodedfilename);
      echo file_get_contents($actualfile);
      exit; //we should be in the new tab or target window, so stop script execution
  }

}

require_once('indexold.php'); //otherwise, load the original index now renamed indexold

interception, then, appears to be your only solution using this forum software.

edit:
my example lacks error handling but you should already see that. Also, my code example is vulnerable/lacks security but it is just an example of interception. Obviously, the handler will require validation and tight security measures (anyone can just start typing attachment query strings and they will be processed by the example, id est, not server ready, PHP code).

 

[eternal_noob]

I like your MacGyver-style ingenuity.

But i think it's better to just make a add-on, just like the inline PDF add-on. Or something like option 2 in this post:

Viewing PDF attachments in the browser

The issue: Cannot get Safari to view PDF attachments in the browser, it always just downloads. The fix option 1: Install the Open PDF v1.5 add-on: https://www.xf2addons.com/resources/open-pdf.113/ The fix option 2: Add this code to your src/config.php file: $c->extend('inlineImageTypes'...

www.xf2addons.com