Lock uri.allowed-protocols in Config

Summary: This allows administrative overreach. Administrators can enable `javascript:` and then XSS things if this isn't locked. Test Plan: Viewed value on web UI, verified it was locked. Reviewers: btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D6975
2024-11-27 01:02:42 +01:00 · 2013-09-13 11:48:43 -07:00 · 2013-09-13 11:48:43 -07:00 · c72f3b4bf1
commit c72f3b4bf1
parent de10d91963
1 changed files with 2 additions and 1 deletions
--- a/src/applications/config/option/PhabricatorSecurityConfigOptions.php
+++ b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
@ -124,7 +124,8 @@ final class PhabricatorSecurityConfigOptions
            "whitelist is primarily to prevent security issues like ".
            "javascript:// URIs."))
        ->addExample(
-          '{"http": true, "https": true"}', pht('Valid Setting')),
+          '{"http": true, "https": true"}', pht('Valid Setting'))
+        ->setLocked(true),
       $this->newOption(
         'celerity.resource-hash',
         'string',