diff --git a/src/applications/differential/parser/changeset/DifferentialChangesetParser.php b/src/applications/differential/parser/changeset/DifferentialChangesetParser.php
index bfcecdbd2b..792efa645d 100644
--- a/src/applications/differential/parser/changeset/DifferentialChangesetParser.php
+++ b/src/applications/differential/parser/changeset/DifferentialChangesetParser.php
@@ -1618,7 +1618,9 @@ class DifferentialChangesetParser {
case DifferentialChangeType::TYPE_COPY_HERE:
$message =
"This {$files[$file]} was {$verb} ".
- "{$changeset->getOldFile()}.";
+ "".
+ phutil_escape_html($changeset->getOldFile()).
+ ".";
break;
case DifferentialChangeType::TYPE_MOVE_AWAY:
case DifferentialChangeType::TYPE_COPY_AWAY:
@@ -1627,11 +1629,11 @@ class DifferentialChangesetParser {
if (count($paths) > 1) {
$message =
"This {$files[$file]} was {$verb}: ".
- "".implode(', ', $paths).".";
+ "".phutil_escape_html(implode(', ', $paths)).".";
} else {
$message =
"This {$files[$file]} was {$verb} ".
- "".reset($paths).".";
+ "".phutil_escape_html(reset($paths)).".";
}
break;
case DifferentialChangeType::TYPE_CHANGE:
diff --git a/src/applications/differential/view/difftableofcontents/DifferentialDiffTableOfContentsView.php b/src/applications/differential/view/difftableofcontents/DifferentialDiffTableOfContentsView.php
index 5dc4c8763b..1fd848ffaf 100644
--- a/src/applications/differential/view/difftableofcontents/DifferentialDiffTableOfContentsView.php
+++ b/src/applications/differential/view/difftableofcontents/DifferentialDiffTableOfContentsView.php
@@ -1,7 +1,7 @@
', $meta);
} else {
if ($type == DifferentialChangeType::TYPE_MOVE_AWAY) {
- $meta = 'Moved to '.reset($away);
+ $meta = 'Moved to '.phutil_escape_html(reset($away));
} else {
- $meta = 'Copied to '.reset($away);
+ $meta = 'Copied to '.phutil_escape_html(reset($away));
}
}
} else {