1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 02:12:41 +01:00
phorge-phorge/src/infrastructure
epriestley c8b4bfdcd1 Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks
Summary:
Some browsers will still sniff content types even with "Content-Type" and
"X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from
sniffing the content as HTML.

See T865.

Also unified some of the code on this pathway.

Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for
the test case in T865. Unit tests pass.

Reviewers: cbg, btrahan

Reviewed By: cbg

CC: aran, epriestley

Maniphest Tasks: T139, T865

Differential Revision: https://secure.phabricator.com/D1606
2012-02-14 14:51:51 -08:00
..
__tests__ Add test to check all symbols can be loaded 2011-10-20 16:43:13 -07:00
celerity Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks 2012-02-14 14:51:51 -08:00
daemon D1535 2012-02-10 09:47:57 -08:00
diff/engine Fix Diffusion rendering of SVN files which did not change 2011-07-20 11:54:33 -07:00
env Lock down accepted next URI values for redirect after login 2012-01-13 11:58:45 -08:00
events Add a "maniphest.update" Conduit method 2012-01-06 11:52:00 -08:00
javelin Avoid sending CSRF token in GET and external forms 2012-02-03 10:58:51 -08:00
lint Add a custom lint name hook to Phabricator 2011-08-31 13:49:30 -07:00
markup/remarkup/markuprule Allow full anchors in remarkup object names 2012-02-03 15:50:19 -08:00
setup Detect empty $PATH environmental var 2012-01-16 11:49:19 -08:00
testing/testcase Merge __init_env__.php into __init_script__.php 2011-10-02 11:48:09 -07:00
util/hash Move most remaining sha1() calls to HMAC 2011-12-19 08:56:53 -08:00