FMHN#68489 fac_html_strictness om XSS uit te kunnen sluiten

svn path=/Database/branches/DB40/; revision=52934
2021-09-07 12:41:26 +00:00
parent 2b8dc064e7
commit bf80c52744
1 changed files with 1 additions and 0 deletions
--- a/FAC/FAC_SET.SRC
+++ b/FAC/FAC_SET.SRC
@@ -172,6 +172,7 @@ DEFINE_SETTING('FAC', 0001, 'WEB_FACTAB', 'allow_framed_facilitor'
 DEFINE_SETTING('FAC', 0001, 'WEB_FACTAB', 'allowedImgRegex'                       , 'string'                      , '^((http|https):\/\/)'    , 'Allowed url-regex in between [img][/img]-tags')
 DEFINE_SETTING('FAC', 0001, 'WEB_FACTAB', 'allowedLinkRegex'                      , 'string'                      , '^((ftp|http|https):\/\/|(mailto|tel):)' , 'Allowed link-regex in between [link][/link]-tags')
 DEFINE_SETTING('FAC', 0001, 'WEB_FACTAB', 'auto_https'                            , 'number'                      , '3'                           , '0=not https, 1=http redirects to https, (3=also all cookies ;Secure)')
+DEFINE_SETTING('FAC', 0001, 'WEB_FACTAB', 'fac_html_strictness'                   , 'number'                      , '0'                           , '0=allow html in message, res-room description, flex-labels, 1=do not allow (strict, more secure)')
 DEFINE_SETTING('FAC', 0001, 'WEB_FACTAB', 'cal_showOn'                            , 'string'                      , 'button'                      , '''button'' or ''focus'' or ''both''')
 DEFINE_SETTING('FAC', 0001, 'WEB_FACTAB', 'csp_header'                            , 'string'                      , 'default-src *; style-src * ''unsafe-inline'';  script-src * ''unsafe-inline'' ''unsafe-eval''; img-src * data: ''unsafe-inline''; connect-src * ''unsafe-inline''; frame-src * mailto: tel: phone: callto:; font-src * data: ''unsafe-inline'';', 'Content-Security-Policy header')
 DEFINE_SETTING('FAC', 0001, 'WEB_FACTAB', 'referrer_policy_header'                , 'string'                      , 'strict-origin-when-cross-origin', 'Referrer-Policy header (future use)')