1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 14:00:56 +01:00

Convert AphrontPanelView to safe HTML (except children)

Summary: Fixes some double escaping and potential XSS.

Test Plan: Looked at homepage.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T2432

Differential Revision: https://secure.phabricator.com/D4917
This commit is contained in:
vrana 2013-02-11 21:25:39 -08:00
parent 80fb84bd94
commit 5ad526942b
10 changed files with 24 additions and 25 deletions

View file

@ -335,7 +335,7 @@ final class PhabricatorAuditListController extends PhabricatorAuditController {
}
if ($handle) {
$handle_name = phutil_escape_html($handle->getName());
$handle_name = $handle->getName();
} else {
$handle_name = null;
}
@ -435,7 +435,7 @@ final class PhabricatorAuditListController extends PhabricatorAuditController {
}
if ($handle) {
$handle_name = phutil_escape_html($handle->getName());
$handle_name = $handle->getName();
} else {
$handle_name = null;
}

View file

@ -109,7 +109,7 @@ final class PhabricatorConduitConsoleController
->setValue('Call Method'));
$panel = new AphrontPanelView();
$panel->setHeader('Conduit API: '.phutil_escape_html($this->method));
$panel->setHeader('Conduit API: '.$this->method);
$panel->appendChild($form);
$panel->setWidth(AphrontPanelView::WIDTH_FULL);

View file

@ -21,7 +21,7 @@ final class DiffusionBrowseController extends DiffusionController {
$title = 'Tag: '.$drequest->getSymbolicCommit();
$tag_view = new AphrontPanelView();
$tag_view->setHeader(phutil_escape_html($title));
$tag_view->setHeader($title);
$tag_view->appendChild(
$this->markupText($drequest->getTagContent()));

View file

@ -70,7 +70,7 @@ final class DiffusionLintDetailsController extends DiffusionController {
$content[] = id(new AphrontPanelView())
->setHeader(
($lint != '' ? phutil_escape_html($lint)." \xC2\xB7 " : '').
($lint != '' ? $lint." \xC2\xB7 " : '').
pht('%d Lint Message(s)', count($messages)))
->setCaption($link)
->appendChild($table)

View file

@ -68,7 +68,7 @@ final class DiffusionRepositoryController extends DiffusionController {
'View Full Commit History');
$panel = new AphrontPanelView();
$panel->setHeader("Recent Commits · {$all}");
$panel->setHeader(hsprintf("Recent Commits · %s", $all));
$panel->appendChild($history_table);
$panel->setNoBackground();

View file

@ -244,7 +244,7 @@ final class ManiphestReportController extends ManiphestController {
));
if ($handle) {
$header = "Task Burn Rate for Project ".$handle->renderLink();
$header = pht("Task Burn Rate for Project %s", $handle->renderLink());
$caption = hsprintf(
"<p>NOTE: This table reflects tasks <em>currently</em> in ".
"the project. If a task was opened in the past but added to ".

View file

@ -143,8 +143,7 @@ extends PhabricatorAuthController {
// display time -- make a nice form for the user to grant the client
// access to the granularity specified by $scope
$name = phutil_escape_html($client->getName());
$title = 'Authorize ' . $name . '?';
$title = 'Authorize '.$client->getName().'?';
$panel = new AphrontPanelView();
$panel->setWidth(AphrontPanelView::WIDTH_FORM);
$panel->setHeader($title);

View file

@ -109,8 +109,7 @@ final class PhabricatorOwnersDetailController
));
$panel = new AphrontPanelView();
$panel->setHeader(
'Package Details for "'.phutil_escape_html($package->getName()).'"');
$panel->setHeader('Package Details for "'.$package->getName().'"');
$panel->addButton(
javelin_tag(
'a',
@ -200,7 +199,7 @@ final class PhabricatorOwnersDetailController
$commit_panels = array();
foreach ($commit_views as $commit_view) {
$commit_panel = new AphrontPanelView();
$commit_panel->setHeader(phutil_escape_html($commit_view['header']));
$commit_panel->setHeader($commit_view['header']);
if (isset($commit_view['button'])) {
$commit_panel->addButton($commit_view['button']);
}

View file

@ -177,7 +177,7 @@ final class PhabricatorSlowvotePollController
$panel = new AphrontPanelView();
$panel->setHeader(phutil_escape_html($poll->getQuestion()));
$panel->setHeader($poll->getQuestion());
$panel->setWidth(AphrontPanelView::WIDTH_WIDE);
$panel->appendChild($form);

View file

@ -63,7 +63,7 @@ final class AphrontPanelView extends AphrontView {
public function render() {
if ($this->header !== null) {
$header = '<h1>'.$this->header.'</h1>';
$header = phutil_tag('h1', array(), $this->header);
} else {
$header = null;
}
@ -79,16 +79,18 @@ final class AphrontPanelView extends AphrontView {
$buttons = null;
if ($this->buttons) {
$buttons =
'<div class="aphront-panel-view-buttons">'.
implode(" ", $this->buttons).
'</div>';
$buttons = hsprintf(
'<div class="aphront-panel-view-buttons">%s</div>',
phutil_implode_html(" ", $this->buttons));
}
$header_elements =
'<div class="aphront-panel-header">'.
$buttons.$header.$caption.
'</div>';
$table = implode('', $this->renderChildren());
$header_elements = hsprintf(
'<div class="aphront-panel-header">%s%s%s</div>',
$buttons,
$header,
$caption);
// TODO: [HTML] Make HTML safe.
$table = phutil_safe_html(implode('', $this->renderChildren()));
require_celerity_resource('aphront-panel-view-css');
@ -104,8 +106,7 @@ final class AphrontPanelView extends AphrontView {
'class' => implode(' ', $classes),
'id' => $this->id,
),
// TODO: [HTML] Make HTML safe.
phutil_safe_html($header_elements.$table));
array($header_elements, $table));
}
}