phorge-phorge/src/infrastructure/javelin/markup/markup.php

<?php

/*
 * Copyright 2011 Facebook, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

function javelin_render_tag(
  $tag,
  array $attributes = array(),
  $content = null) {

  if (isset($attributes['sigil']) ||
      isset($attributes['meta'])  ||
      isset($attributes['mustcapture'])) {
    foreach ($attributes as $k => $v) {
      switch ($k) {
        case 'sigil':
          $attributes['data-sigil'] = $v;
          unset($attributes[$k]);
          break;
        case 'meta':
          $response = CelerityAPI::getStaticResourceResponse();
          $id = $response->addMetadata($v);
          $attributes['data-meta'] = $id;
          unset($attributes[$k]);
          break;
        case 'mustcapture':
          $attributes['data-mustcapture'] = '1';
          unset($attributes[$k]);
          break;
      }
    }
  }

  return phutil_render_tag($tag, $attributes, $content);
}


function phabricator_render_form(PhabricatorUser $user, $attributes, $content) {
  return javelin_render_tag(
    'form',
    $attributes,
    phutil_render_tag(
      'input',
      array(
        'type' => 'hidden',
        'name' => AphrontRequest::getCSRFTokenName(),
        'value' => $user->getCSRFToken(),
      )).
    phutil_render_tag(
      'input',
      array(
        'type' => 'hidden',
        'name' => '__form__',
        'value' => true,
      )).$content);
}
Javelin integration. 2011-01-25 20:57:47 +01:00			`<?php`

			`/*`
			`* Copyright 2011 Facebook, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`function javelin_render_tag(`
			`$tag,`
			`array $attributes = array(),`
			`$content = null) {`

			`if (isset($attributes['sigil']) \|\|`
			`isset($attributes['meta']) \|\|`
			`isset($attributes['mustcapture'])) {`
			`foreach ($attributes as $k => $v) {`
			`switch ($k) {`
			`case 'sigil':`
Bring in JX.Workflow and the inline commenting behavior, plus sync Javelin. 2011-02-02 00:52:04 +01:00			`$attributes['data-sigil'] = $v;`
Javelin integration. 2011-01-25 20:57:47 +01:00			`unset($attributes[$k]);`
			`break;`
			`case 'meta':`
			`$response = CelerityAPI::getStaticResourceResponse();`
			`$id = $response->addMetadata($v);`
Bring in JX.Workflow and the inline commenting behavior, plus sync Javelin. 2011-02-02 00:52:04 +01:00			`$attributes['data-meta'] = $id;`
Javelin integration. 2011-01-25 20:57:47 +01:00			`unset($attributes[$k]);`
			`break;`
			`case 'mustcapture':`
Bring in JX.Workflow and the inline commenting behavior, plus sync Javelin. 2011-02-02 00:52:04 +01:00			`$attributes['data-mustcapture'] = '1';`
Javelin integration. 2011-01-25 20:57:47 +01:00			`unset($attributes[$k]);`
			`break;`
			`}`
			`}`
			`}`

			`return phutil_render_tag($tag, $attributes, $content);`
			`}`
Rought cut of search. Summary: Botched this pretty badly in git so we'll see how much I broke. :/ Test Plan: Reviewers: CC: 2011-02-15 00:34:20 +01:00

			`function phabricator_render_form(PhabricatorUser $user, $attributes, $content) {`
			`return javelin_render_tag(`
			`'form',`
			`$attributes,`
			`phutil_render_tag(`
			`'input',`
			`array(`
			`'type' => 'hidden',`
Prevent CSRF uploads via /file/dropupload/ Summary: We don't currently validate CSRF tokens on this workflow. This allows an attacker to upload arbitrary files on the user's behalf. Although I believe the tight list of servable mime-types means that's more or less the end of the attack, this is still a vulnerability. In the long term, the right solution is probably to pass CSRF tokens on all Ajax requests in an HTTP header (or just a GET param) or something like that. However, this endpoint is unique and this is the quickest and most direct way to close the hole. Test Plan: - Drop-uploaded files to Files, Maniphest, Phriction and Differential. - Modified CSRF vaidator to use __csrf__.'x' and verified uploads and form submissions don't work. Reviewers: andrewjcg, aran, jungejason, tuomaspelkonen, erling Commenters: andrewjcg, pedram CC: aran, epriestley, andrewjcg, pedram Differential Revision: 758 2011-08-02 05:23:01 +02:00			`'name' => AphrontRequest::getCSRFTokenName(),`
Rought cut of search. Summary: Botched this pretty badly in git so we'll see how much I broke. :/ Test Plan: Reviewers: CC: 2011-02-15 00:34:20 +01:00			`'value' => $user->getCSRFToken(),`
			`)).`
			`phutil_render_tag(`
			`'input',`
			`array(`
			`'type' => 'hidden',`
			`'name' => '__form__',`
			`'value' => true,`
			`)).$content);`
			`}`