1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-24 15:52:41 +01:00
phorge-phorge/src/aphront/response
epriestley c8b4bfdcd1 Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks
Summary:
Some browsers will still sniff content types even with "Content-Type" and
"X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from
sniffing the content as HTML.

See T865.

Also unified some of the code on this pathway.

Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for
the test case in T865. Unit tests pass.

Reviewers: cbg, btrahan

Reviewed By: cbg

CC: aran, epriestley

Maniphest Tasks: T139, T865

Differential Revision: https://secure.phabricator.com/D1606
2012-02-14 14:51:51 -08:00
..
304 Fix horrible broken mess in 304 handling 2011-05-10 16:11:29 -07:00
400 Allow Celerity to return "304 Not Modified" responses 2011-05-10 14:33:11 -07:00
403 Send 403 for admin pages without being admin 2012-01-15 17:30:23 -08:00
404 Send 403 for admin pages without being admin 2012-01-15 17:30:23 -08:00
ajax Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks 2012-02-14 14:51:51 -08:00
base Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks 2012-02-14 14:51:51 -08:00
dialog Distinguish between aphront and phabricator. 2011-01-22 17:45:28 -08:00
file Improve error message for Conduit path problems 2012-01-16 11:48:21 -08:00
json Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks 2012-02-14 14:51:51 -08:00
plaintext Improve error message for Conduit path problems 2012-01-16 11:48:21 -08:00
redirect Add X-Frame-Options for all response 2011-09-14 10:43:24 -07:00
reload Allow revisions to be edited from Maniphest 2011-05-16 15:31:46 -07:00
webpage Add X-Frame-Options for all response 2011-09-14 10:43:24 -07:00