1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-27 17:22:42 +01:00
phorge-phorge/src/aphront
epriestley c8b4bfdcd1 Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks
Summary:
Some browsers will still sniff content types even with "Content-Type" and
"X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from
sniffing the content as HTML.

See T865.

Also unified some of the code on this pathway.

Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for
the test case in T865. Unit tests pass.

Reviewers: cbg, btrahan

Reviewed By: cbg

CC: aran, epriestley

Maniphest Tasks: T139, T865

Differential Revision: https://secure.phabricator.com/D1606
2012-02-14 14:51:51 -08:00
..
applicationconfiguration Automatically redirect 404's that wouldn't be 404s if they had a trailing slash 2011-04-04 10:29:46 -07:00
console Minor, fix number_format() warning. 2012-01-05 09:09:36 -08:00
controller Modularize oauth. 2011-02-27 20:38:11 -08:00
default Add very very basic reporting to Maniphest 2012-02-08 09:47:14 -08:00
exception Fix conservative CSRF token cycling limit 2011-07-14 08:09:40 -07:00
mapper Import some code, some of which may be relevant to the project. 2011-01-17 19:31:39 -08:00
request Improve error message for Conduit path problems 2012-01-16 11:48:21 -08:00
response Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks 2012-02-14 14:51:51 -08:00
sink Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks 2012-02-14 14:51:51 -08:00
writeguard Create AphrontWriteGuard, a backup mechanism for CSRF validation 2011-08-16 13:29:57 -07:00