phorge-phorge

mirror of https://we.phorge.it/source/phorge.git synced 2024-11-11 17:32:41 +01:00

History

epriestley 039b8e43b9 Whitelist allowed editor protocols Summary: This is the other half of D8548. Specifically, the attack here was to set your own editor link to `javascript\n:...` and then you could XSS yourself. This isn't a hugely damaging attack, but we can be more certain by adding a whitelist here. We already whitelist linkable protocols in remarkup (`uri.allowed-protocols`) in general. Test Plan: Tried to set and use valid/invalid editor URIs. {F130883} {F130884} Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D8551	2014-03-17 13:00:37 -07:00
..
PhabricatorApplicationSupport.php	Whitelist allowed editor protocols	2014-03-17 13:00:37 -07:00

epriestley 039b8e43b9 Whitelist allowed editor protocols

Summary:
This is the other half of D8548. Specifically, the attack here was to set your own editor link to `javascript\n:...` and then you could XSS yourself. This isn't a hugely damaging attack, but we can be more certain by adding a whitelist here.

We already whitelist linkable protocols in remarkup (`uri.allowed-protocols`) in general.

Test Plan:
Tried to set and use valid/invalid editor URIs.

{F130883}

{F130884}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D8551

2014-03-17 13:00:37 -07:00

PhabricatorApplicationSupport.php

Whitelist allowed editor protocols

2014-03-17 13:00:37 -07:00