mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-20 20:40:56 +01:00
Fix an XSS issue where Diffusion files exceeding the highlighting byte limit were not properly escaped
Fixes T11257. Auditors: chad
This commit is contained in:
parent
ceb395ea9b
commit
498cb5c096
1 changed files with 8 additions and 4 deletions
|
@ -682,17 +682,21 @@ final class DiffusionBrowseController extends DiffusionController {
|
|||
$blame_commits,
|
||||
$show_blame);
|
||||
} else {
|
||||
if ($can_highlight) {
|
||||
require_celerity_resource('syntax-highlighting-css');
|
||||
require_celerity_resource('syntax-highlighting-css');
|
||||
|
||||
if (!$can_highlight) {
|
||||
$highlighted = PhabricatorSyntaxHighlighter::highlightWithFilename(
|
||||
$path,
|
||||
$file_corpus);
|
||||
$lines = phutil_split_lines($highlighted);
|
||||
} else {
|
||||
$lines = phutil_split_lines($file_corpus);
|
||||
// Highlight as plain text to escape the content properly.
|
||||
$highlighted = PhabricatorSyntaxHighlighter::highlightWithLanguage(
|
||||
'txt',
|
||||
$file_corpus);
|
||||
}
|
||||
|
||||
$lines = phutil_split_lines($highlighted);
|
||||
|
||||
$rows = $this->buildDisplayRows(
|
||||
$lines,
|
||||
$blame_list,
|
||||
|
|
Loading…
Reference in a new issue