HEX
Server: nginx/1.18.0
System: Linux proba.drlaca.appboxes.co 6.1.0-28-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-11-22) x86_64
User: appbox (1000)
PHP: 7.4.3-4ubuntu2.29
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /usr/share/php/HTMLPurifier/ConfigSchema/schema/
Upload Files
File: //usr/share/php/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt
URI.MungeSecretKey
TYPE: string/null
VERSION: 3.1.1
DEFAULT: NULL
--DESCRIPTION--
<p>
    This directive enables secure checksum generation along with %URI.Munge.
    It should be set to a secure key that is not shared with anyone else.
    The checksum can be placed in the URI using %t. Use of this checksum
    affords an additional level of protection by allowing a redirector
    to check if a URI has passed through HTML Purifier with this line:
</p>

<pre>$checksum === hash_hmac("sha256", $url, $secret_key)</pre>

<p>
    If the output is TRUE, the redirector script should accept the URI.
</p>

<p>
    Please note that it would still be possible for an attacker to procure
    secure hashes en-mass by abusing your website's Preview feature or the
    like, but this service affords an additional level of protection
    that should be combined with website blacklisting.
</p>

<p>
    Remember this has no effect if %URI.Munge is not on.
</p>
--# vim: et sw=4 sts=4
@ Telegram