Add ability to link back to parent site in external phame blogs
ClosedPublic
Actions

Authored by chad on Jun 20 2016, 6:29 PM.

Details

Reviewers

epriestley

Maniphest Tasks

T9897: Unbeta Feedback on Phame

Commits

rP967945e4b4e9: Add ability to link back to parent site in external phame blogs

Summary

Ref T9897. Adds a Parent Site and Parent Domain field to allow external sites to link back to parent.

Test Plan

Set up `local.blog.phacility.com```, set parent site to "Phacility" and parent domain to "local.www.phacility.com". Get new crumbs at Blog and Post levels.

Diff Detail

Repository

rP Phabricator

Branch

phame-site (branched from master)

Lint

Lint Passed

Unit

Tests Passed

Build Status

Buildable 12735
Build 16198: Run Core Tests
Build 16197: arc lint + arc unit

Event Timeline

chad updated this revision to Diff 38855.Jun 20 2016, 6:29 PM

chad retitled this revision from to Add ability to link back to parent site in external phame blogs.

chad updated this object.

chad edited the test plan for this revision. (Show Details)

chad added a reviewer: epriestley.

chad added a task: T9897: Unbeta Feedback on Phame.

Herald added a subscriber: Korvin. · View Herald TranscriptJun 20 2016, 6:29 PM

epriestley requested changes to this revision.Jun 20 2016, 6:43 PM

epriestley edited edge metadata.

epriestley added inline comments.

src/applications/phame/editor/PhameBlogEditEngine.php
105	For consistency, prefer camelCase (`parentSite`).
113	...and here.
src/applications/phame/editor/PhameBlogEditor.php
140	Then ideally also validate the URI here to make sure it passes `PhabricatorEnv::requireValidRemoteURIForLink($uri)` before we let them save it.
src/applications/phame/storage/PhameBlog.php
199–203	I think this should just return whatever they entered (so we can link to `https://`, and a third-party can link to `https://corporate.company.com/engineering/` from the "Engineering Blog") but check it first with this: PhabricatorEnv::requireValidRemoteURIForLink($raw_uri); That makes sure the user didn't enter `javascript:do_evil();` as their parent domain.

This revision now requires changes to proceed.Jun 20 2016, 6:43 PM

updates per inlines

epriestley accepted this revision.Jun 20 2016, 7:37 PM

epriestley edited edge metadata.

epriestley added inline comments.

src/applications/phame/storage/PhameBlog.php
200	We should validate this again here, just to be safe. This prevents these attacks: User figures out how to bypass validation somehow. User figures out some other way to write to the database. There's a bug in `requireValidRemoteURIForLink()` that we fix later.