Idea #8177
Updated by Brett Smith over 8 years ago
This should be false by default, because it means you're vulnerable to XSS. But setting it to true and using keep-web would be better than falling back to the arv-get code, so it's worthwhile. * The configuration setting is trust_all_content. It's default false. When true, Workbench will redirect users Have to keep-web even when that exposes XSS vulnerabilities. * There should be a comment in application.default.yml explaining update the security risks of the feature to administrators. It should also note that the corresponding setting must also be enabled on keep-web. * Add a section to the Workbench install guide that explains this configuration, with basically the same wording. * There's already a test that the XSS protection kicks in. That should continue passing when trust_all_content is false. Add a test alongside it that the redirect happens normally when trust_all_content is true. docs.