From 33fb7117ae9bef9510905ee5cc77cfb6e0eb99cb Mon Sep 17 00:00:00 2001
From: vrana <jakubv@fb.com>
Date: Thu, 2 Feb 2012 12:17:12 -0800
Subject: [PATCH] XSS in Owners

Test Plan: Display /owners/view/search/ for repository with callsign <i>hack</i>

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1549
---
 .../owners/controller/list/PhabricatorOwnersListController.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/applications/owners/controller/list/PhabricatorOwnersListController.php b/src/applications/owners/controller/list/PhabricatorOwnersListController.php
index ce1372e0cd..914143a191 100644
--- a/src/applications/owners/controller/list/PhabricatorOwnersListController.php
+++ b/src/applications/owners/controller/list/PhabricatorOwnersListController.php
@@ -214,7 +214,7 @@ class PhabricatorOwnersListController extends PhabricatorOwnersController {
       foreach ($pkg_paths as $key => $path) {
         $repo = $handles[$path->getRepositoryPHID()]->getName();
         $pkg_paths[$key] =
-          '<strong>'.$repo.'</strong> '.
+          '<strong>'.phutil_escape_html($repo).'</strong> '.
           phutil_escape_html($path->getPath());
       }
       $pkg_paths = implode('<br />', $pkg_paths);