From 4bfbd209b224f2e809b75a42a53290aba3af1921 Mon Sep 17 00:00:00 2001 From: epriestley Date: Fri, 24 Jun 2011 10:43:57 -0700 Subject: [PATCH] Fix XSS hole in YouTube remarkup rule Summary: The source wasn't properly escaped. Test Plan: Made a comment like "http://youtube.com/?v=">

!!!

" Reviewed By: mroch Reviewers: tomo, mroch, tuomaspelkonen, aran, jungejason CC: aran, mroch Differential Revision: 516 --- .../youtube/PhabricatorRemarkupRuleYoutube.php | 18 ++++++++++++------ .../remarkup/markuprule/youtube/__init__.php | 1 + 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/src/infrastructure/markup/remarkup/markuprule/youtube/PhabricatorRemarkupRuleYoutube.php b/src/infrastructure/markup/remarkup/markuprule/youtube/PhabricatorRemarkupRuleYoutube.php index bf6a7e7dae..52b6575e86 100644 --- a/src/infrastructure/markup/remarkup/markuprule/youtube/PhabricatorRemarkupRuleYoutube.php +++ b/src/infrastructure/markup/remarkup/markuprule/youtube/PhabricatorRemarkupRuleYoutube.php @@ -38,12 +38,18 @@ class PhabricatorRemarkupRuleYoutube if ($v) { $youtube_src = 'https://www.youtube.com/embed/'.$v; $iframe = - '
- -
'; + '
'. + phutil_render_tag( + 'iframe', + array( + 'width' => '650', + 'height' => '400', + 'style' => 'margin: 1em auto; border: 0px;', + 'src' => $youtube_src, + 'frameborder' => 0, + ), + ''). + '
'; return $this->getEngine()->storeText($iframe); } else { return $this->uri; diff --git a/src/infrastructure/markup/remarkup/markuprule/youtube/__init__.php b/src/infrastructure/markup/remarkup/markuprule/youtube/__init__.php index 80117182c0..7d055605f1 100644 --- a/src/infrastructure/markup/remarkup/markuprule/youtube/__init__.php +++ b/src/infrastructure/markup/remarkup/markuprule/youtube/__init__.php @@ -6,6 +6,7 @@ +phutil_require_module('phutil', 'markup'); phutil_require_module('phutil', 'markup/engine/remarkup/markuprule/base'); phutil_require_module('phutil', 'parser/uri'); phutil_require_module('phutil', 'utils');