From 49a59bd8852c98df8885c7c8aefeb6f691468aca Mon Sep 17 00:00:00 2001
From: vrana <jakubv@fb.com>
Date: Sun, 15 Jan 2012 22:25:53 -0800
Subject: [PATCH] Fix XSS in Differential

Test Plan: Display a revision with file copied to ##<b>hack</b>##.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1411
---
 .../parser/changeset/DifferentialChangesetParser.php      | 8 +++++---
 .../DifferentialDiffTableOfContentsView.php               | 8 ++++----
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/applications/differential/parser/changeset/DifferentialChangesetParser.php b/src/applications/differential/parser/changeset/DifferentialChangesetParser.php
index bfcecdbd2b..792efa645d 100644
--- a/src/applications/differential/parser/changeset/DifferentialChangesetParser.php
+++ b/src/applications/differential/parser/changeset/DifferentialChangesetParser.php
@@ -1618,7 +1618,9 @@ class DifferentialChangesetParser {
         case DifferentialChangeType::TYPE_COPY_HERE:
           $message =
             "This {$files[$file]} was {$verb} ".
-            "<strong>{$changeset->getOldFile()}</strong>.";
+            "<strong>".
+              phutil_escape_html($changeset->getOldFile()).
+            "</strong>.";
           break;
         case DifferentialChangeType::TYPE_MOVE_AWAY:
         case DifferentialChangeType::TYPE_COPY_AWAY:
@@ -1627,11 +1629,11 @@ class DifferentialChangesetParser {
           if (count($paths) > 1) {
             $message =
               "This {$files[$file]} was {$verb}: ".
-              "<strong>".implode(', ', $paths)."</strong>.";
+              "<strong>".phutil_escape_html(implode(', ', $paths))."</strong>.";
           } else {
             $message =
               "This {$files[$file]} was {$verb} ".
-              "<strong>".reset($paths)."</strong>.";
+              "<strong>".phutil_escape_html(reset($paths))."</strong>.";
           }
           break;
         case DifferentialChangeType::TYPE_CHANGE:
diff --git a/src/applications/differential/view/difftableofcontents/DifferentialDiffTableOfContentsView.php b/src/applications/differential/view/difftableofcontents/DifferentialDiffTableOfContentsView.php
index 5dc4c8763b..1fd848ffaf 100644
--- a/src/applications/differential/view/difftableofcontents/DifferentialDiffTableOfContentsView.php
+++ b/src/applications/differential/view/difftableofcontents/DifferentialDiffTableOfContentsView.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright 2011 Facebook, Inc.
+ * Copyright 2012 Facebook, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -75,14 +75,14 @@ final class DifferentialDiffTableOfContentsView extends AphrontView {
             $meta[] = 'Copied to multiple locations:';
           }
           foreach ($away as $path) {
-            $meta[] = $path;
+            $meta[] = phutil_escape_html($path);
           }
           $meta = implode('<br />', $meta);
         } else {
           if ($type == DifferentialChangeType::TYPE_MOVE_AWAY) {
-            $meta = 'Moved to '.reset($away);
+            $meta = 'Moved to '.phutil_escape_html(reset($away));
           } else {
-            $meta = 'Copied to '.reset($away);
+            $meta = 'Copied to '.phutil_escape_html(reset($away));
           }
         }
       } else {