revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-10 08:52:39 +01:00
Code Issues Releases Wiki Activity

Fix an XSS issue where Diffusion files exceeding the highlighting byte limit were not properly escaped

Browse source 
Fixes T11257.

Auditors: chad
This commit is contained in:
epriestley 2016-07-02 05:17:05 -07:00
parent ceb395ea9b
commit 498cb5c096
1 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/applications/diffusion/controller/DiffusionBrowseController.php
View file

@ -682,17 +682,21 @@ final class DiffusionBrowseController extends DiffusionController {
$blame_commits,
$show_blame);
} else {
if ($can_highlight) {
require_celerity_resource('syntax-highlighting-css');
require_celerity_resource('syntax-highlighting-css');
if (!$can_highlight) {
$highlighted = PhabricatorSyntaxHighlighter::highlightWithFilename(
$path,
$file_corpus);
$lines = phutil_split_lines($highlighted);
} else {
$lines = phutil_split_lines($file_corpus);
// Highlight as plain text to escape the content properly.
$highlighted = PhabricatorSyntaxHighlighter::highlightWithLanguage(
'txt',
$file_corpus);
}
$lines = phutil_split_lines($highlighted);
$rows = $this->buildDisplayRows(
$lines,
$blame_list,