Whitelist allowed editor protocols
039b8e43b98c
Actions

Authored by epriestley <git@epriestley.com> on Mar 17 2014, 21:00.

Description

Whitelist allowed editor protocols

Summary:
This is the other half of D8548. Specifically, the attack here was to set your own editor link to javascript\n:... and then you could XSS yourself. This isn't a hugely damaging attack, but we can be more certain by adding a whitelist here.

We already whitelist linkable protocols in remarkup (uri.allowed-protocols) in general.

Test Plan:
Tried to set and use valid/invalid editor URIs.

{F130883}

{F130884}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D8551

Details

Committed

epriestley <git@epriestley.com>

Mar 17 2014, 21:00

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPHced70f6b3278: Make install documentation more clear about Windows support

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH039b8e43b98c: Whitelist allowed editor protocols (authored by epriestley <git@epriestley.com>).Mar 17 2014, 21:00

Changes (11)

		Path
M		src/__phutil_library_map__.php
M		src/aphront/configuration/AphrontDefaultApplicationConfiguration.php
M		src/applications/config/option/PhabricatorSecurityConfigOptions.php
A	(dir)	src/applications/help/application/
A		src/applications/help/application/PhabricatorApplicationHelp.php
A		src/applications/help/controller/PhabricatorHelpEditorProtocolController.php
M		src/applications/people/storage/PhabricatorUser.php
M		src/applications/settings/panel/PhabricatorSettingsPanelDisplayPreferences.php
A	(dir)	src/applications/support/
A	(dir)	src/applications/support/application/
A		src/applications/support/application/PhabricatorApplicationSupport.php