1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 10:22:42 +01:00
phorge-phorge/src/applications/settings
epriestley 039b8e43b9 Whitelist allowed editor protocols
Summary:
This is the other half of D8548. Specifically, the attack here was to set your own editor link to `javascript\n:...` and then you could XSS yourself. This isn't a hugely damaging attack, but we can be more certain by adding a whitelist here.

We already whitelist linkable protocols in remarkup (`uri.allowed-protocols`) in general.

Test Plan:
Tried to set and use valid/invalid editor URIs.

{F130883}

{F130884}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D8551
2014-03-17 13:00:37 -07:00
..
application Miniturize the nav buttons 2014-01-31 09:10:32 -08:00
controller Remove dust from page construction 2013-08-19 18:09:35 -07:00
panel Whitelist allowed editor protocols 2014-03-17 13:00:37 -07:00
storage Split Diffusion "view" preference into blame and color preferences 2013-09-19 16:01:58 -07:00