Homec4science

Add a blanket guard for 'javascript:' hrefs in libphutil

Authored by epriestley <git@epriestley.com> on Jan 11 2012, 23:05.

Description

Add a blanket guard for 'javascript:' hrefs in libphutil

Summary:
In our application (and, I claim in the comments, any "well designed"
application) these are never intentional and always indicate an attack vector.
D1365 closes such a vector (albeit an admin-only one), but we can also just put
a blanket check here.

On its own this would be a poor approach because it's a blacklist rather than a
whitelist (it does nothign about these URIs in other attributes, or about other
dangerous URIs), but I think it's a reasonable compliment to other mechanisms
and practices, like the SQL syntax error checks.

Test Plan:

  • Ran unit tests.
  • Browsed site.
  • Profiled some heavy pages, this adds less than a millisecond to a 1000-task

Maniphest list.

Reviewers: btrahan, jungejason, arice

Reviewed By: arice

CC: aran, arice, epriestley

Differential Revision: https://secure.phabricator.com/D1366

Details

Committed
epriestley <git@epriestley.com>Jan 12 2012, 19:59
Pushed
aubortMar 17 2017, 12:03
Parents
rPHU6f71996c8511: add the method to access the last item in an array without chocking
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHU5556fd5cc6ad: Add a blanket guard for 'javascript:' hrefs in libphutil (authored by epriestley <git@epriestley.com>).Jan 12 2012, 19:59