diff -urN '--exclude=CVS' '--exclude=*.pdf' '--exclude=.bzr' bugzilla-4.0.4/template/en/default/attachment/show-multiple.html.tmpl bugzilla-4.0.5/template/en/default/attachment/show-multiple.html.tmpl
--- bugzilla-4.0.4/template/en/default/attachment/show-multiple.html.tmpl	2010-03-07 13:46:25.000000000 -0500
+++ bugzilla-4.0.5/template/en/default/attachment/show-multiple.html.tmpl	2012-02-22 15:34:38.443747000 -0500
@@ -83,10 +83,22 @@
   </table>
 
   [% IF a.is_viewable %]
-    <iframe src="attachment.cgi?id=[% a.id %]" width="75%" height="350">
-      <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
-      <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
-    </iframe>
+    [% IF a.contenttype == "text/html" %]
+      [%# For security reasons (clickjacking, embedded scripts), we never
+        # render HTML pages from here. The source code is displayed instead. %]
+      [% INCLUDE global/textarea.html.tmpl
+         minrows = 10
+         cols    = 80
+         defaultcontent = a.data
+         readonly = 'readonly'
+         classes = 'viewall_frame'
+      %]
+    [% ELSE %]
+      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
+        <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
+        <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
+      </iframe>
+    [% END %]
   [% ELSE %]
     <p><b>
       Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*.
diff -urN '--exclude=CVS' '--exclude=*.pdf' '--exclude=.bzr' bugzilla-4.0.4/template/en/default/global/user-error.html.tmpl bugzilla-4.0.5/template/en/default/global/user-error.html.tmpl
--- bugzilla-4.0.4/template/en/default/global/user-error.html.tmpl	2012-01-31 11:16:56.000000000 -0500
+++ bugzilla-4.0.5/template/en/default/global/user-error.html.tmpl	2012-02-22 15:34:38.443747000 -0500
@@ -1685,6 +1685,11 @@
     &lt;[% type FILTER html %]&gt; field. (See the XML-RPC specification
     for details.)
 
+  [% ELSIF error == "xmlrpc_illegal_content_type" %]
+    When using XML-RPC, you cannot send data as
+    [%+ content_type FILTER html %]. Only text/xml 
+    and application/xml are allowed.
+
   [% ELSIF error == "zero_length_file" %]
     [% title = "File Is Empty" %]
     The file you are trying to attach is empty, does not exist, or you don't
diff -urN '--exclude=CVS' '--exclude=*.pdf' '--exclude=.bzr' bugzilla-4.0.4/template/en/default/pages/release-notes.html.tmpl bugzilla-4.0.5/template/en/default/pages/release-notes.html.tmpl
--- bugzilla-4.0.4/template/en/default/pages/release-notes.html.tmpl	2012-01-27 17:16:47.000000000 -0500
+++ bugzilla-4.0.5/template/en/default/pages/release-notes.html.tmpl	2012-02-22 15:34:38.443747000 -0500
@@ -72,6 +72,22 @@
 
 <h2 id="v40_point">Updates in this 4.0.x Release</h2>
 
+<h3>4.0.5</h3>
+
+<p>This release fixes one security issue. See the
+  <a href="http://www.bugzilla.org/security/4.0.4/">Security Advisory</a>
+  for details.</p>
+
+<p>In addition, the following important change has been made in this release:</p>
+
+<ul>
+  <li>Clickjacking could possibly occur in the attachment "View All" page if a user
+  attached a specially formatted HTML file. To fix this potential problem, the
+  "View All" page now always displays the source code for all attachments whose
+  MIME type is <em>text/html</em>.
+  (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=722161">[% terms.Bug %] 722161</a>)</li>
+</ul>
+
 <h3>4.0.4</h3>
 
 <p>This release fixes two security issues. See the