revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-11 01:12:41 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications
History
epriestley 65a56c6ce0 Improve mailing list edit form 
Summary:
  - Add some captions to make it more clear what these fields mean.
  - Require "name", since tokenizers use it exclusively.
  - Limit URI to allowed protocols, since admins can currently XSS users by
entering a "javascript:" URI and then tricking the user into clicking the
mailing list name. This exploit is dumb, but technically privilege escallation.

Test Plan:
  - Created a new mailing list.
  - Edited a mailing list.
  - Tested URI: valid, invalid, omitted.
  - Tested name: valid, omitted.

Reviewers: btrahan, jungejason, davidreuss

Reviewed By: btrahan

CC: aran, btrahan

Differential Revision: https://secure.phabricator.com/D1365
2012-01-11 15:48:21 -08:00
..
audit Add Basic Auditing Functionalities 2011-12-20 13:36:53 -08:00
auth Validate logins, and simplify email password resets 2012-01-11 08:25:55 -08:00
base Make detection/recovery for bad cookies more strict 2011-08-19 15:45:35 -07:00
calendar Build a basic calendar view 2011-08-08 10:34:06 -07:00
conduit Added conduit method to get maniphest transactions 2012-01-11 09:13:59 -08:00
countdown Countdown - kill tabs 2011-12-15 14:31:25 -08:00
daemon Refactor repository reparse scripts to be more useful 2011-09-27 17:20:04 -07:00
differential Kill PhabricatorFileURI 2012-01-10 15:21:39 -08:00
diffusion Add a link from Differential to Diffusion 2012-01-05 18:03:08 -08:00
directory Dedupe DIRECTORY w/ Directory tab in directory header 2011-11-28 13:03:46 -08:00
draft/storage Revision comment drafts. 2011-02-05 16:57:21 -08:00
feed Kill PhabricatorFileURI 2012-01-10 15:21:39 -08:00
files Kill PhabricatorFileURI 2012-01-10 15:21:39 -08:00
help/controller Explicitly show that "escape" closes dialogs in Phabricator 2011-08-02 09:21:28 -07:00
herald ...fix my fat finger period to a comma 2011-12-29 08:55:54 -08:00
maniphest Add getStrList() to AphrontRequest 2012-01-04 10:18:46 -08:00
markup Fix undefined index header.generate-toc in Differential 2012-01-06 23:52:39 -08:00
metamta Improve mailing list edit form 2012-01-11 15:48:21 -08:00
owners Fix issue when a path is '/' in a package 2011-12-22 09:58:19 -08:00
paste Kill PhabricatorFileURI 2012-01-10 15:21:39 -08:00
people Validate logins, and simplify email password resets 2012-01-11 08:25:55 -08:00
phid Kill PhabricatorFileURI 2012-01-10 15:21:39 -08:00
phriction Enable Table of Contents in Phriction 2012-01-06 11:52:50 -08:00
project Kill PhabricatorFileURI 2012-01-10 15:21:39 -08:00
repository Support Git implicit file:// URIs 2012-01-11 09:00:18 -08:00
search Kill PhabricatorFileURI 2012-01-10 15:21:39 -08:00
slowvote Kill PhabricatorFileURI 2012-01-10 15:21:39 -08:00
status/base Add /status/ 2011-04-08 11:13:51 -07:00
typeahead/controller Add a name token table so on-demand typeaheads can match last names 2011-10-23 14:25:26 -07:00
uiexample Examples using JX.View 2011-11-06 15:17:00 -08:00
xhpastview Add missing includes from XHPAST parse bug. 2011-04-06 23:14:58 -07:00
xhprof Improve DarkConsole "Services" and "XHProf" plugins 2011-07-11 12:51:58 -07:00