1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-23 23:32:40 +01:00

Convert AphrontPanelView to safe HTML (except children)

Summary: Fixes some double escaping and potential XSS.

Test Plan: Looked at homepage.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T2432

Differential Revision: https://secure.phabricator.com/D4917
This commit is contained in:
vrana 2013-02-11 21:25:39 -08:00
parent 80fb84bd94
commit 5ad526942b
10 changed files with 24 additions and 25 deletions

View file

@ -335,7 +335,7 @@ final class PhabricatorAuditListController extends PhabricatorAuditController {
} }
if ($handle) { if ($handle) {
$handle_name = phutil_escape_html($handle->getName()); $handle_name = $handle->getName();
} else { } else {
$handle_name = null; $handle_name = null;
} }
@ -435,7 +435,7 @@ final class PhabricatorAuditListController extends PhabricatorAuditController {
} }
if ($handle) { if ($handle) {
$handle_name = phutil_escape_html($handle->getName()); $handle_name = $handle->getName();
} else { } else {
$handle_name = null; $handle_name = null;
} }

View file

@ -109,7 +109,7 @@ final class PhabricatorConduitConsoleController
->setValue('Call Method')); ->setValue('Call Method'));
$panel = new AphrontPanelView(); $panel = new AphrontPanelView();
$panel->setHeader('Conduit API: '.phutil_escape_html($this->method)); $panel->setHeader('Conduit API: '.$this->method);
$panel->appendChild($form); $panel->appendChild($form);
$panel->setWidth(AphrontPanelView::WIDTH_FULL); $panel->setWidth(AphrontPanelView::WIDTH_FULL);

View file

@ -21,7 +21,7 @@ final class DiffusionBrowseController extends DiffusionController {
$title = 'Tag: '.$drequest->getSymbolicCommit(); $title = 'Tag: '.$drequest->getSymbolicCommit();
$tag_view = new AphrontPanelView(); $tag_view = new AphrontPanelView();
$tag_view->setHeader(phutil_escape_html($title)); $tag_view->setHeader($title);
$tag_view->appendChild( $tag_view->appendChild(
$this->markupText($drequest->getTagContent())); $this->markupText($drequest->getTagContent()));

View file

@ -70,7 +70,7 @@ final class DiffusionLintDetailsController extends DiffusionController {
$content[] = id(new AphrontPanelView()) $content[] = id(new AphrontPanelView())
->setHeader( ->setHeader(
($lint != '' ? phutil_escape_html($lint)." \xC2\xB7 " : ''). ($lint != '' ? $lint." \xC2\xB7 " : '').
pht('%d Lint Message(s)', count($messages))) pht('%d Lint Message(s)', count($messages)))
->setCaption($link) ->setCaption($link)
->appendChild($table) ->appendChild($table)

View file

@ -68,7 +68,7 @@ final class DiffusionRepositoryController extends DiffusionController {
'View Full Commit History'); 'View Full Commit History');
$panel = new AphrontPanelView(); $panel = new AphrontPanelView();
$panel->setHeader("Recent Commits · {$all}"); $panel->setHeader(hsprintf("Recent Commits · %s", $all));
$panel->appendChild($history_table); $panel->appendChild($history_table);
$panel->setNoBackground(); $panel->setNoBackground();

View file

@ -244,7 +244,7 @@ final class ManiphestReportController extends ManiphestController {
)); ));
if ($handle) { if ($handle) {
$header = "Task Burn Rate for Project ".$handle->renderLink(); $header = pht("Task Burn Rate for Project %s", $handle->renderLink());
$caption = hsprintf( $caption = hsprintf(
"<p>NOTE: This table reflects tasks <em>currently</em> in ". "<p>NOTE: This table reflects tasks <em>currently</em> in ".
"the project. If a task was opened in the past but added to ". "the project. If a task was opened in the past but added to ".

View file

@ -143,8 +143,7 @@ extends PhabricatorAuthController {
// display time -- make a nice form for the user to grant the client // display time -- make a nice form for the user to grant the client
// access to the granularity specified by $scope // access to the granularity specified by $scope
$name = phutil_escape_html($client->getName()); $title = 'Authorize '.$client->getName().'?';
$title = 'Authorize ' . $name . '?';
$panel = new AphrontPanelView(); $panel = new AphrontPanelView();
$panel->setWidth(AphrontPanelView::WIDTH_FORM); $panel->setWidth(AphrontPanelView::WIDTH_FORM);
$panel->setHeader($title); $panel->setHeader($title);

View file

@ -109,8 +109,7 @@ final class PhabricatorOwnersDetailController
)); ));
$panel = new AphrontPanelView(); $panel = new AphrontPanelView();
$panel->setHeader( $panel->setHeader('Package Details for "'.$package->getName().'"');
'Package Details for "'.phutil_escape_html($package->getName()).'"');
$panel->addButton( $panel->addButton(
javelin_tag( javelin_tag(
'a', 'a',
@ -200,7 +199,7 @@ final class PhabricatorOwnersDetailController
$commit_panels = array(); $commit_panels = array();
foreach ($commit_views as $commit_view) { foreach ($commit_views as $commit_view) {
$commit_panel = new AphrontPanelView(); $commit_panel = new AphrontPanelView();
$commit_panel->setHeader(phutil_escape_html($commit_view['header'])); $commit_panel->setHeader($commit_view['header']);
if (isset($commit_view['button'])) { if (isset($commit_view['button'])) {
$commit_panel->addButton($commit_view['button']); $commit_panel->addButton($commit_view['button']);
} }

View file

@ -177,7 +177,7 @@ final class PhabricatorSlowvotePollController
$panel = new AphrontPanelView(); $panel = new AphrontPanelView();
$panel->setHeader(phutil_escape_html($poll->getQuestion())); $panel->setHeader($poll->getQuestion());
$panel->setWidth(AphrontPanelView::WIDTH_WIDE); $panel->setWidth(AphrontPanelView::WIDTH_WIDE);
$panel->appendChild($form); $panel->appendChild($form);

View file

@ -63,7 +63,7 @@ final class AphrontPanelView extends AphrontView {
public function render() { public function render() {
if ($this->header !== null) { if ($this->header !== null) {
$header = '<h1>'.$this->header.'</h1>'; $header = phutil_tag('h1', array(), $this->header);
} else { } else {
$header = null; $header = null;
} }
@ -79,16 +79,18 @@ final class AphrontPanelView extends AphrontView {
$buttons = null; $buttons = null;
if ($this->buttons) { if ($this->buttons) {
$buttons = $buttons = hsprintf(
'<div class="aphront-panel-view-buttons">'. '<div class="aphront-panel-view-buttons">%s</div>',
implode(" ", $this->buttons). phutil_implode_html(" ", $this->buttons));
'</div>';
} }
$header_elements = $header_elements = hsprintf(
'<div class="aphront-panel-header">'. '<div class="aphront-panel-header">%s%s%s</div>',
$buttons.$header.$caption. $buttons,
'</div>'; $header,
$table = implode('', $this->renderChildren()); $caption);
// TODO: [HTML] Make HTML safe.
$table = phutil_safe_html(implode('', $this->renderChildren()));
require_celerity_resource('aphront-panel-view-css'); require_celerity_resource('aphront-panel-view-css');
@ -104,8 +106,7 @@ final class AphrontPanelView extends AphrontView {
'class' => implode(' ', $classes), 'class' => implode(' ', $classes),
'id' => $this->id, 'id' => $this->id,
), ),
// TODO: [HTML] Make HTML safe. array($header_elements, $table));
phutil_safe_html($header_elements.$table));
} }
} }