Add a blanket guard for 'javascript:' hrefs in libphutil
5556fd5cc6ad
Actions

Authored by epriestley <git@epriestley.com> on Jan 11 2012, 23:05.

Description

Add a blanket guard for 'javascript:' hrefs in libphutil

Summary:
In our application (and, I claim in the comments, any "well designed"
application) these are never intentional and always indicate an attack vector.
D1365 closes such a vector (albeit an admin-only one), but we can also just put
a blanket check here.

On its own this would be a poor approach because it's a blacklist rather than a
whitelist (it does nothign about these URIs in other attributes, or about other
dangerous URIs), but I think it's a reasonable compliment to other mechanisms
and practices, like the SQL syntax error checks.

Test Plan:

Ran unit tests.
Browsed site.
Profiled some heavy pages, this adds less than a millisecond to a 1000-task

Maniphest list.

Reviewers: btrahan, jungejason, arice

Reviewed By: arice

CC: aran, arice, epriestley

Differential Revision: https://secure.phabricator.com/D1366

Details

Committed

epriestley <git@epriestley.com>

Jan 12 2012, 19:59

Pushed

aubort

Mar 17 2017, 12:03

Parents

rPHU6f71996c8511: add the method to access the last item in an array without chocking

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHU5556fd5cc6ad: Add a blanket guard for 'javascript:' hrefs in libphutil (authored by epriestley <git@epriestley.com>).Jan 12 2012, 19:59

Changes (6)

		Path
M		src/__phutil_library_map__.php
A	(dir)	src/markup/__tests__/
A		src/markup/__tests__/PhutilMarkupTestCase.php
P		src/markup/__tests__/__init__.php Copied from src/parser/uri/__tests__/__init__.php
M		src/markup/render.php
M		src/parser/uri/__tests__/PhutilURITestCase.php