github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-28 23:49:34 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: use allowlist and blocklist terminology (#10209)

Browse Source 
This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist.
This commit is contained in:
Krzysztof Kotlarek
2020-07-27 10:23:54 +10:00
committed by GitHub
parent 5077cf52fd
commit e0d9232259
130 changed files with 676 additions and 570 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/SECURITY.md
View File

@ -29,7 +29,7 @@ There are 3 main scenarios we protect against:
3. **CSP is on by default** for [all Discourse installations](https://meta.discourse.org/t/mitigate-xss-attacks-with-content-security-policy/104243) as of Discourse 2.2. It can be switched off in the site settings, but it is default on.
On the server side we run a whitelist based sanitizer, implemented using the [Sanitize gem](https://github.com/rgrove/sanitize). See the [relevant Discourse code](https://github.com/discourse/discourse/blob/master/lib/pretty_text.rb).
On the server side we run a allowlist based sanitizer, implemented using the [Sanitize gem](https://github.com/rgrove/sanitize). See the [relevant Discourse code](https://github.com/discourse/discourse/blob/master/lib/pretty_text.rb).
In addition, titles and all other places where non-admins can enter code are protected either using the Handlebars library or standard Rails XSS protection.