mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-25 08:12:40 +01:00
039b8e43b9
Summary: This is the other half of D8548. Specifically, the attack here was to set your own editor link to `javascript\n:...` and then you could XSS yourself. This isn't a hugely damaging attack, but we can be more certain by adding a whitelist here. We already whitelist linkable protocols in remarkup (`uri.allowed-protocols`) in general. Test Plan: Tried to set and use valid/invalid editor URIs. {F130883} {F130884} Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D8551 |
||
---|---|---|
.. | ||
application |