Convert AphrontPanelView to safe HTML (except children)

Summary: Fixes some double escaping and potential XSS. Test Plan: Looked at homepage. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2432 Differential Revision: https://secure.phabricator.com/D4917
2024-09-20 09:18:48 +02:00 · 2013-02-11 21:25:39 -08:00 · 2013-02-11 21:25:39 -08:00 · 5ad526942b
commit 5ad526942b
parent 80fb84bd94
10 changed files with 24 additions and 25 deletions
--- a/src/applications/audit/controller/PhabricatorAuditListController.php
+++ b/src/applications/audit/controller/PhabricatorAuditListController.php
@ -335,7 +335,7 @@ final class PhabricatorAuditListController extends PhabricatorAuditController {
    }

    if ($handle) {
-      $handle_name = phutil_escape_html($handle->getName());
+      $handle_name = $handle->getName();
    } else {
      $handle_name = null;
    }
@ -435,7 +435,7 @@ final class PhabricatorAuditListController extends PhabricatorAuditController {
    }

    if ($handle) {
-      $handle_name = phutil_escape_html($handle->getName());
+      $handle_name = $handle->getName();
    } else {
      $handle_name = null;
    }
--- a/src/applications/conduit/controller/PhabricatorConduitConsoleController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitConsoleController.php
@ -109,7 +109,7 @@ final class PhabricatorConduitConsoleController
          ->setValue('Call Method'));

    $panel = new AphrontPanelView();
-    $panel->setHeader('Conduit API: '.phutil_escape_html($this->method));
+    $panel->setHeader('Conduit API: '.$this->method);
    $panel->appendChild($form);
    $panel->setWidth(AphrontPanelView::WIDTH_FULL);

--- a/src/applications/diffusion/controller/DiffusionBrowseController.php
+++ b/src/applications/diffusion/controller/DiffusionBrowseController.php
@ -21,7 +21,7 @@ final class DiffusionBrowseController extends DiffusionController {
      $title = 'Tag: '.$drequest->getSymbolicCommit();

      $tag_view = new AphrontPanelView();
-      $tag_view->setHeader(phutil_escape_html($title));
+      $tag_view->setHeader($title);
      $tag_view->appendChild(
        $this->markupText($drequest->getTagContent()));

--- a/src/applications/diffusion/controller/DiffusionLintDetailsController.php
+++ b/src/applications/diffusion/controller/DiffusionLintDetailsController.php
@ -70,7 +70,7 @@ final class DiffusionLintDetailsController extends DiffusionController {

    $content[] = id(new AphrontPanelView())
      ->setHeader(
-        ($lint != '' ? phutil_escape_html($lint)." \xC2\xB7 " : '').
+        ($lint != '' ? $lint." \xC2\xB7 " : '').
        pht('%d Lint Message(s)', count($messages)))
      ->setCaption($link)
      ->appendChild($table)
--- a/src/applications/diffusion/controller/DiffusionRepositoryController.php
+++ b/src/applications/diffusion/controller/DiffusionRepositoryController.php
@ -68,7 +68,7 @@ final class DiffusionRepositoryController extends DiffusionController {
      'View Full Commit History');

    $panel = new AphrontPanelView();
-    $panel->setHeader("Recent Commits &middot; {$all}");
+    $panel->setHeader(hsprintf("Recent Commits &middot; %s", $all));
    $panel->appendChild($history_table);
    $panel->setNoBackground();

--- a/src/applications/maniphest/controller/ManiphestReportController.php
+++ b/src/applications/maniphest/controller/ManiphestReportController.php
@ -244,7 +244,7 @@ final class ManiphestReportController extends ManiphestController {
      ));

    if ($handle) {
-      $header = "Task Burn Rate for Project ".$handle->renderLink();
+      $header = pht("Task Burn Rate for Project %s", $handle->renderLink());
      $caption = hsprintf(
        "<p>NOTE: This table reflects tasks <em>currently</em> in ".
        "the project. If a task was opened in the past but added to ".
--- a/src/applications/oauthserver/controller/PhabricatorOAuthServerAuthController.php
+++ b/src/applications/oauthserver/controller/PhabricatorOAuthServerAuthController.php
@ -143,8 +143,7 @@ extends PhabricatorAuthController {

    // display time -- make a nice form for the user to grant the client
    // access to the granularity specified by $scope
-    $name  = phutil_escape_html($client->getName());
-    $title = 'Authorize ' . $name . '?';
+    $title = 'Authorize '.$client->getName().'?';
    $panel = new AphrontPanelView();
    $panel->setWidth(AphrontPanelView::WIDTH_FORM);
    $panel->setHeader($title);
--- a/src/applications/owners/controller/PhabricatorOwnersDetailController.php
+++ b/src/applications/owners/controller/PhabricatorOwnersDetailController.php
@ -109,8 +109,7 @@ final class PhabricatorOwnersDetailController
      ));

    $panel = new AphrontPanelView();
-    $panel->setHeader(
-      'Package Details for "'.phutil_escape_html($package->getName()).'"');
+    $panel->setHeader('Package Details for "'.$package->getName().'"');
    $panel->addButton(
      javelin_tag(
        'a',
@ -200,7 +199,7 @@ final class PhabricatorOwnersDetailController
    $commit_panels = array();
    foreach ($commit_views as $commit_view) {
      $commit_panel = new AphrontPanelView();
-      $commit_panel->setHeader(phutil_escape_html($commit_view['header']));
+      $commit_panel->setHeader($commit_view['header']);
      if (isset($commit_view['button'])) {
        $commit_panel->addButton($commit_view['button']);
      }
--- a/src/applications/slowvote/controller/PhabricatorSlowvotePollController.php
+++ b/src/applications/slowvote/controller/PhabricatorSlowvotePollController.php
@ -177,7 +177,7 @@ final class PhabricatorSlowvotePollController


    $panel = new AphrontPanelView();
-    $panel->setHeader(phutil_escape_html($poll->getQuestion()));
+    $panel->setHeader($poll->getQuestion());
    $panel->setWidth(AphrontPanelView::WIDTH_WIDE);

    $panel->appendChild($form);
--- a/src/view/layout/AphrontPanelView.php
+++ b/src/view/layout/AphrontPanelView.php
@ -63,7 +63,7 @@ final class AphrontPanelView extends AphrontView {

  public function render() {
    if ($this->header !== null) {
-      $header = '<h1>'.$this->header.'</h1>';
+      $header = phutil_tag('h1', array(), $this->header);
    } else {
      $header = null;
    }
@ -79,16 +79,18 @@ final class AphrontPanelView extends AphrontView {

    $buttons = null;
    if ($this->buttons) {
-      $buttons =
-        '<div class="aphront-panel-view-buttons">'.
-          implode(" ", $this->buttons).
-        '</div>';
+      $buttons = hsprintf(
+        '<div class="aphront-panel-view-buttons">%s</div>',
+        phutil_implode_html(" ", $this->buttons));
    }
-    $header_elements =
-      '<div class="aphront-panel-header">'.
-        $buttons.$header.$caption.
-      '</div>';
-    $table = implode('', $this->renderChildren());
+    $header_elements = hsprintf(
+      '<div class="aphront-panel-header">%s%s%s</div>',
+      $buttons,
+      $header,
+      $caption);
+
+    // TODO: [HTML] Make HTML safe.
+    $table = phutil_safe_html(implode('', $this->renderChildren()));

    require_celerity_resource('aphront-panel-view-css');

@ -104,8 +106,7 @@ final class AphrontPanelView extends AphrontView {
        'class' => implode(' ', $classes),
        'id'    => $this->id,
      ),
-      // TODO: [HTML] Make HTML safe.
-      phutil_safe_html($header_elements.$table));
+      array($header_elements, $table));
  }

 }