Improve mailing list edit form
65a56c6ce092
Actions

Description

Improve mailing list edit form

Summary:

Add some captions to make it more clear what these fields mean.
Require "name", since tokenizers use it exclusively.
Limit URI to allowed protocols, since admins can currently XSS users by

entering a "javascript:" URI and then tricking the user into clicking the
mailing list name. This exploit is dumb, but technically privilege escallation.

Test Plan:

Created a new mailing list.
Edited a mailing list.
Tested URI: valid, invalid, omitted.
Tested name: valid, omitted.

Reviewers: btrahan, jungejason, davidreuss

Reviewed By: btrahan

CC: aran, btrahan

Differential Revision: https://secure.phabricator.com/D1365

Details

Provenance

epriestley	Authored on Jan 11 2012, 1:36 PM
themackabu	Pushed on Mar 25 2025, 8:07 PM

Parents

rPb8ab23d8c594: Merge pull request #87 from kdeggelman/master

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (2)

Path

Size

src/

applications/

metamta/

controller/

mailinglistedit/

PhabricatorMetaMTAMailingListEditController.php

__init__.php

rP65a56c6ce092

View Options

src/applications/metamta/controller/mailinglistedit/PhabricatorMetaMTAMailingListEditController.php