mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-30 10:42:41 +01:00
Lock uri.allowed-protocols
in Config
Summary: This allows administrative overreach. Administrators can enable `javascript:` and then XSS things if this isn't locked. Test Plan: Viewed value on web UI, verified it was locked. Reviewers: btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D6975
This commit is contained in:
parent
de10d91963
commit
c72f3b4bf1
1 changed files with 2 additions and 1 deletions
|
@ -124,7 +124,8 @@ final class PhabricatorSecurityConfigOptions
|
|||
"whitelist is primarily to prevent security issues like ".
|
||||
"javascript:// URIs."))
|
||||
->addExample(
|
||||
'{"http": true, "https": true"}', pht('Valid Setting')),
|
||||
'{"http": true, "https": true"}', pht('Valid Setting'))
|
||||
->setLocked(true),
|
||||
$this->newOption(
|
||||
'celerity.resource-hash',
|
||||
'string',
|
||||
|
|
Loading…
Reference in a new issue