From 4004cf9c883a4b8d8ca71223462bc19895f9b366 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Tue, 24 Feb 2026 23:07:41 +0100
Subject: [PATCH] Added documentation on ATTACHMENT_SHOW_HTML_FILES env

---
 docs/configuration.md                               | 3 +++
 src/Settings/SystemSettings/AttachmentsSettings.php | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/configuration.md b/docs/configuration.md
index 709c39b3..b4c3d747 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -86,6 +86,9 @@ bundled with Part-DB. Set `DATABASE_MYSQL_SSL_VERIFY_CERT` if you want to accept
 * `ATTACHMENT_DOWNLOAD_BY_DEFAULT`: When this is set to 1, the "download external file" checkbox is checked by default
   when adding a new attachment. Otherwise, it is unchecked by default. Use this if you wanna download all attachments
   locally by default. Attachment download is only possible, when `ALLOW_ATTACHMENT_DOWNLOADS` is set to 1.
+* `ATTACHMENT_SHOW_HTML_FILES`: When enabled, user uploaded HTML attachments can be viewed directly in the browser. 
+  Many potential malicious functions are restricted, still this is a potential security risk and should only be enabled,
+  if you trust the users who can upload files. When set to 0, HTML files are rendered as plain text.
 * `USE_GRAVATAR`: Set to `1` to use [gravatar.com](https://gravatar.com/) images for user avatars (as long as they have
   not set their own picture). The users browsers have to download the pictures from a third-party (gravatar) server, so
   this might be a privacy risk.
diff --git a/src/Settings/SystemSettings/AttachmentsSettings.php b/src/Settings/SystemSettings/AttachmentsSettings.php
index 2a682b11..5aa3f91d 100644
--- a/src/Settings/SystemSettings/AttachmentsSettings.php
+++ b/src/Settings/SystemSettings/AttachmentsSettings.php
@@ -62,7 +62,7 @@ class AttachmentsSettings
     #[SettingsParameter(
         label: new TM("settings.system.attachments.showHTMLAttachments"),
         description: new TM("settings.system.attachments.showHTMLAttachments.help"),
-        envVar: "bool:ATTACHMENT_SHOW_HTML", envVarMode: EnvVarMode::OVERWRITE
+        envVar: "bool:ATTACHMENT_SHOW_HTML_FILES", envVarMode: EnvVarMode::OVERWRITE
     )]
     public bool $showHTMLAttachments = false;
 }