diff --git a/lib/filelib.php b/lib/filelib.php
index ad2bed4464a..2d4a3ff3a0e 100644
--- a/lib/filelib.php
+++ b/lib/filelib.php
@@ -62,6 +62,7 @@ function get_mimetypes_array() {
         'dir'  => array ('type'=>'application/x-director', 'icon'=>'flash.gif'),
         'dxr'  => array ('type'=>'application/x-director', 'icon'=>'flash.gif'),
         'eps'  => array ('type'=>'application/postscript', 'icon'=>'pdf.gif'),
+        'fdf'  => array ('type'=>'application/pdf', 'icon'=>'pdf.gif'),
         'gif'  => array ('type'=>'image/gif', 'icon'=>'image.gif'),
         'gtar' => array ('type'=>'application/x-gtar', 'icon'=>'zip.gif'),
         'tgz'   => array ('type'=>'application/g-zip', 'icon'=>'zip.gif'),
@@ -159,6 +160,9 @@ function get_mimetypes_array() {
         'wav'  => array ('type'=>'audio/wav', 'icon'=>'audio.gif'),
         'wmv'  => array ('type'=>'video/x-ms-wmv', 'icon'=>'avi.gif'),
         'asf'  => array ('type'=>'video/x-ms-asf', 'icon'=>'avi.gif'),
+        'xdp'  => array ('type'=>'application/pdf', 'icon'=>'pdf.gif'),
+        'xfd'  => array ('type'=>'application/pdf', 'icon'=>'pdf.gif'),
+        'xfdf' => array ('type'=>'application/pdf', 'icon'=>'pdf.gif'),
         'xls'  => array ('type'=>'application/vnd.ms-excel', 'icon'=>'excel.gif'),
         'xml'  => array ('type'=>'application/xml', 'icon'=>'xml.gif'),
         'xsl'  => array ('type'=>'text/xml', 'icon'=>'xml.gif'),
@@ -255,10 +259,17 @@ function send_file($path, $filename, $lifetime=86400 , $filter=0, $pathisstring=
     $lastmodified = $pathisstring ? time() : filemtime($path);
     $filesize     = $pathisstring ? strlen($path) : filesize($path);
 
-    if ($mimetype=='application/pdf') {
-        //Adobe Reader XSS prevention - please note that it prevents opening of pdfs in browser
-        $mimetype = 'application/x-forcedownload';
-        $forcedownload = true;
+    //Adobe Acrobat Reader XSS prevention
+    if ($mimetype=='application/pdf' or mimeinfo('type', $filename)=='application/pdf') {
+        //please note that it prevents opening of pdfs in browser when http referer disabled
+        //or file linked from another site; browser caching of pdfs is now disabled too
+        if (empty($_SERVER['HTTP_REFERER']) or strpos($_SERVER['HTTP_REFERER'], $CFG->wwwroot)!==0) {
+            $mimetype = 'application/x-forcedownload';
+            $forcedownload = true;
+            $lifetime = 0;
+        } else {
+            $lifetime = 1; // >0 needed for byteserving    
+        }
     }
 
     //IE compatibiltiy HACK!
diff --git a/lib/weblib.php b/lib/weblib.php
index cccd2c2a2cb..8cae2365aa5 100644
--- a/lib/weblib.php
+++ b/lib/weblib.php
@@ -1720,10 +1720,8 @@ function cleanAttributes2($htmlArray){
             $arreach['value'] = preg_replace("/j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t/i", "Xjavascript", $arreach['value']);
             $arreach['value'] = preg_replace("/e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n/i", "Xexpression", $arreach['value']);
         } else if ($arreach['name'] == 'href') {
-            if (stripos($arreach['value'], '.pdf')) {
-                //Adobe Reader XSS protection
-                $arreach['value'] = preg_replace('/(\.pdf)[^a-z0-9_\.\-].*$/i', '$1', $arreach['value']);
-            }
+            //Adobe Acrobat Reader XSS protection
+            $arreach['value'] = preg_replace('/(\.(pdf|fdf|xfdf|xdp|xfd))[^a-z0-9_\.\-].*$/i', '$1', $arreach['value']);
         }
         $attStr .=  ' '.$arreach['name'].'="'.$arreach['value'].'"';
     }