revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-24 21:48:21 +01:00
Code Issues Releases Wiki Activity

Defuse XSS in Calendar

Browse source 
Summary: `addDetail()` takes HTML because we have links there fairly often. :/ This design is iffy.

Test Plan: Reloaded `/calendar/status/`, verified no XSS.

Reviewers: btrahan, vrana

Reviewed By: vrana

CC: aran

Maniphest Tasks: T139

Differential Revision: https://secure.phabricator.com/D4074
This commit is contained in:
epriestley 2012-12-03 16:46:56 -08:00
parent 27785c4f75
commit 02e8a322dc
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/applications/calendar/controller/PhabricatorCalendarViewStatusController.php
View file

@ -73,7 +73,7 @@ final class PhabricatorCalendarViewStatusController
->setHref($href) ->setHref($href)
->addDetail( ->addDetail(
pht('Description'), pht('Description'),
$status->getDescription()) phutil_escape_html($status->getDescription()))
->addAttribute(pht('From %s', $from)) ->addAttribute(pht('From %s', $from))
->addAttribute(pht('To %s', $to)); ->addAttribute(pht('To %s', $to));