Lock uri.allowed-protocols in Config
Summary: This allows administrative overreach. Administrators can enable `javascript:` and then XSS things if this isn't locked. Test Plan: Viewed value on web UI, verified it was locked. Reviewers: btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D6975
This commit is contained in:
epriestley
@@ -124,7 +124,8 @@ final class PhabricatorSecurityConfigOptions
|
|||||||
"whitelist is primarily to prevent security issues like ".
|
"whitelist is primarily to prevent security issues like ".
|
||||||
"javascript:// URIs."))
|
"javascript:// URIs."))
|
||||||
->addExample(
|
->addExample(
|
||||||
'{"http": true, "https": true"}', pht('Valid Setting')),
|
'{"http": true, "https": true"}', pht('Valid Setting'))
|
||||||
|
->setLocked(true),
|
||||||
$this->newOption(
|
$this->newOption(
|
||||||
'celerity.resource-hash',
|
'celerity.resource-hash',
|
||||||
'string',
|
'string',
|
||||||
|
|||||||
Reference in New Issue
Block a user