Homestyx hydra
Diffusion hydra 65a56c6ce092

Improve mailing list edit form
65a56c6ce092
Actions

Description

Improve mailing list edit form

Summary:

  • Add some captions to make it more clear what these fields mean.
  • Require "name", since tokenizers use it exclusively.
  • Limit URI to allowed protocols, since admins can currently XSS users by

entering a "javascript:" URI and then tricking the user into clicking the
mailing list name. This exploit is dumb, but technically privilege escallation.

Test Plan:

  • Created a new mailing list.
  • Edited a mailing list.
  • Tested URI: valid, invalid, omitted.
  • Tested name: valid, omitted.

Reviewers: btrahan, jungejason, davidreuss

Reviewed By: btrahan

CC: aran, btrahan

Differential Revision: https://secure.phabricator.com/D1365

Details

Provenance
epriestleyAuthored on Jan 11 2012, 4:36 PM
sirocylPushed on Oct 16 2024, 5:49 AM
Parents
R1:b8ab23d8c594: Merge pull request #87 from kdeggelman/master
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (2)

PathSize
src/
applications/
metamta/
controller/
mailinglistedit/

R1:65a56c6ce092

View Options

src/applications/metamta/controller/mailinglistedit/PhabricatorMetaMTAMailingListEditController.php

Loading...
View Options

src/applications/metamta/controller/mailinglistedit/__init__.php

Loading...
styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)