Improve mailing list edit form
65a56c6ce092Unpublished
Actions

Unpublished Commit · Learn More

No further details are available.

Description

Improve mailing list edit form

Summary:

Add some captions to make it more clear what these fields mean.
Require "name", since tokenizers use it exclusively.
Limit URI to allowed protocols, since admins can currently XSS users by

entering a "javascript:" URI and then tricking the user into clicking the
mailing list name. This exploit is dumb, but technically privilege escallation.

Test Plan:

Created a new mailing list.
Edited a mailing list.
Tested URI: valid, invalid, omitted.
Tested name: valid, omitted.

Reviewers: btrahan, jungejason, davidreuss

Reviewed By: btrahan

CC: aran, btrahan

Differential Revision: https://secure.phabricator.com/D1365

Details

Provenance

epriestley

Authored on

Reviewer

btrahan

Differential Revision

Restricted Differential Revision

Parents

rPb8ab23d8c594: Merge pull request #87 from kdeggelman/master

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (2)

Path

Size

src/

applications/

metamta/

controller/

mailinglistedit/

PhabricatorMetaMTAMailingListEditController.php

__init__.php

rP65a56c6ce092

View Options

src/applications/metamta/controller/mailinglistedit/PhabricatorMetaMTAMailingListEditController.php