1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-27 16:00:59 +01:00

Lock uri.allowed-protocols in Config

Summary: This allows administrative overreach. Administrators can enable `javascript:` and then XSS things if this isn't locked.

Test Plan: Viewed value on web UI, verified it was locked.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D6975
This commit is contained in:
epriestley 2013-09-13 11:48:43 -07:00
parent de10d91963
commit c72f3b4bf1

View file

@ -124,7 +124,8 @@ final class PhabricatorSecurityConfigOptions
"whitelist is primarily to prevent security issues like ".
"javascript:// URIs."))
->addExample(
'{"http": true, "https": true"}', pht('Valid Setting')),
'{"http": true, "https": true"}', pht('Valid Setting'))
->setLocked(true),
$this->newOption(
'celerity.resource-hash',
'string',