phorge-phorge

revi-archive/phorge-phorge

Fork 0

mirror of https://we.phorge.it/source/phorge.git synced 2024-11-11 17:32:41 +01:00

Commit graph

Author	SHA1	Message	Date
epriestley	039b8e43b9	Whitelist allowed editor protocols Summary: This is the other half of D8548. Specifically, the attack here was to set your own editor link to `javascript\n:...` and then you could XSS yourself. This isn't a hugely damaging attack, but we can be more certain by adding a whitelist here. We already whitelist linkable protocols in remarkup (`uri.allowed-protocols`) in general. Test Plan: Tried to set and use valid/invalid editor URIs. {F130883} {F130884} Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D8551	2014-03-17 13:00:37 -07:00

Author

SHA1

Message

Date

epriestley

039b8e43b9

Whitelist allowed editor protocols

Summary:
This is the other half of D8548. Specifically, the attack here was to set your own editor link to `javascript\n:...` and then you could XSS yourself. This isn't a hugely damaging attack, but we can be more certain by adding a whitelist here.

We already whitelist linkable protocols in remarkup (`uri.allowed-protocols`) in general.

Test Plan:
Tried to set and use valid/invalid editor URIs.

{F130883}

{F130884}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D8551

2014-03-17 13:00:37 -07:00

1 commit