mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-23 23:32:40 +01:00
Convert AphrontPanelView to safe HTML (except children)
Summary: Fixes some double escaping and potential XSS. Test Plan: Looked at homepage. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2432 Differential Revision: https://secure.phabricator.com/D4917
This commit is contained in:
parent
80fb84bd94
commit
5ad526942b
10 changed files with 24 additions and 25 deletions
|
@ -335,7 +335,7 @@ final class PhabricatorAuditListController extends PhabricatorAuditController {
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($handle) {
|
if ($handle) {
|
||||||
$handle_name = phutil_escape_html($handle->getName());
|
$handle_name = $handle->getName();
|
||||||
} else {
|
} else {
|
||||||
$handle_name = null;
|
$handle_name = null;
|
||||||
}
|
}
|
||||||
|
@ -435,7 +435,7 @@ final class PhabricatorAuditListController extends PhabricatorAuditController {
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($handle) {
|
if ($handle) {
|
||||||
$handle_name = phutil_escape_html($handle->getName());
|
$handle_name = $handle->getName();
|
||||||
} else {
|
} else {
|
||||||
$handle_name = null;
|
$handle_name = null;
|
||||||
}
|
}
|
||||||
|
|
|
@ -109,7 +109,7 @@ final class PhabricatorConduitConsoleController
|
||||||
->setValue('Call Method'));
|
->setValue('Call Method'));
|
||||||
|
|
||||||
$panel = new AphrontPanelView();
|
$panel = new AphrontPanelView();
|
||||||
$panel->setHeader('Conduit API: '.phutil_escape_html($this->method));
|
$panel->setHeader('Conduit API: '.$this->method);
|
||||||
$panel->appendChild($form);
|
$panel->appendChild($form);
|
||||||
$panel->setWidth(AphrontPanelView::WIDTH_FULL);
|
$panel->setWidth(AphrontPanelView::WIDTH_FULL);
|
||||||
|
|
||||||
|
|
|
@ -21,7 +21,7 @@ final class DiffusionBrowseController extends DiffusionController {
|
||||||
$title = 'Tag: '.$drequest->getSymbolicCommit();
|
$title = 'Tag: '.$drequest->getSymbolicCommit();
|
||||||
|
|
||||||
$tag_view = new AphrontPanelView();
|
$tag_view = new AphrontPanelView();
|
||||||
$tag_view->setHeader(phutil_escape_html($title));
|
$tag_view->setHeader($title);
|
||||||
$tag_view->appendChild(
|
$tag_view->appendChild(
|
||||||
$this->markupText($drequest->getTagContent()));
|
$this->markupText($drequest->getTagContent()));
|
||||||
|
|
||||||
|
|
|
@ -70,7 +70,7 @@ final class DiffusionLintDetailsController extends DiffusionController {
|
||||||
|
|
||||||
$content[] = id(new AphrontPanelView())
|
$content[] = id(new AphrontPanelView())
|
||||||
->setHeader(
|
->setHeader(
|
||||||
($lint != '' ? phutil_escape_html($lint)." \xC2\xB7 " : '').
|
($lint != '' ? $lint." \xC2\xB7 " : '').
|
||||||
pht('%d Lint Message(s)', count($messages)))
|
pht('%d Lint Message(s)', count($messages)))
|
||||||
->setCaption($link)
|
->setCaption($link)
|
||||||
->appendChild($table)
|
->appendChild($table)
|
||||||
|
|
|
@ -68,7 +68,7 @@ final class DiffusionRepositoryController extends DiffusionController {
|
||||||
'View Full Commit History');
|
'View Full Commit History');
|
||||||
|
|
||||||
$panel = new AphrontPanelView();
|
$panel = new AphrontPanelView();
|
||||||
$panel->setHeader("Recent Commits · {$all}");
|
$panel->setHeader(hsprintf("Recent Commits · %s", $all));
|
||||||
$panel->appendChild($history_table);
|
$panel->appendChild($history_table);
|
||||||
$panel->setNoBackground();
|
$panel->setNoBackground();
|
||||||
|
|
||||||
|
|
|
@ -244,7 +244,7 @@ final class ManiphestReportController extends ManiphestController {
|
||||||
));
|
));
|
||||||
|
|
||||||
if ($handle) {
|
if ($handle) {
|
||||||
$header = "Task Burn Rate for Project ".$handle->renderLink();
|
$header = pht("Task Burn Rate for Project %s", $handle->renderLink());
|
||||||
$caption = hsprintf(
|
$caption = hsprintf(
|
||||||
"<p>NOTE: This table reflects tasks <em>currently</em> in ".
|
"<p>NOTE: This table reflects tasks <em>currently</em> in ".
|
||||||
"the project. If a task was opened in the past but added to ".
|
"the project. If a task was opened in the past but added to ".
|
||||||
|
|
|
@ -143,8 +143,7 @@ extends PhabricatorAuthController {
|
||||||
|
|
||||||
// display time -- make a nice form for the user to grant the client
|
// display time -- make a nice form for the user to grant the client
|
||||||
// access to the granularity specified by $scope
|
// access to the granularity specified by $scope
|
||||||
$name = phutil_escape_html($client->getName());
|
$title = 'Authorize '.$client->getName().'?';
|
||||||
$title = 'Authorize ' . $name . '?';
|
|
||||||
$panel = new AphrontPanelView();
|
$panel = new AphrontPanelView();
|
||||||
$panel->setWidth(AphrontPanelView::WIDTH_FORM);
|
$panel->setWidth(AphrontPanelView::WIDTH_FORM);
|
||||||
$panel->setHeader($title);
|
$panel->setHeader($title);
|
||||||
|
|
|
@ -109,8 +109,7 @@ final class PhabricatorOwnersDetailController
|
||||||
));
|
));
|
||||||
|
|
||||||
$panel = new AphrontPanelView();
|
$panel = new AphrontPanelView();
|
||||||
$panel->setHeader(
|
$panel->setHeader('Package Details for "'.$package->getName().'"');
|
||||||
'Package Details for "'.phutil_escape_html($package->getName()).'"');
|
|
||||||
$panel->addButton(
|
$panel->addButton(
|
||||||
javelin_tag(
|
javelin_tag(
|
||||||
'a',
|
'a',
|
||||||
|
@ -200,7 +199,7 @@ final class PhabricatorOwnersDetailController
|
||||||
$commit_panels = array();
|
$commit_panels = array();
|
||||||
foreach ($commit_views as $commit_view) {
|
foreach ($commit_views as $commit_view) {
|
||||||
$commit_panel = new AphrontPanelView();
|
$commit_panel = new AphrontPanelView();
|
||||||
$commit_panel->setHeader(phutil_escape_html($commit_view['header']));
|
$commit_panel->setHeader($commit_view['header']);
|
||||||
if (isset($commit_view['button'])) {
|
if (isset($commit_view['button'])) {
|
||||||
$commit_panel->addButton($commit_view['button']);
|
$commit_panel->addButton($commit_view['button']);
|
||||||
}
|
}
|
||||||
|
|
|
@ -177,7 +177,7 @@ final class PhabricatorSlowvotePollController
|
||||||
|
|
||||||
|
|
||||||
$panel = new AphrontPanelView();
|
$panel = new AphrontPanelView();
|
||||||
$panel->setHeader(phutil_escape_html($poll->getQuestion()));
|
$panel->setHeader($poll->getQuestion());
|
||||||
$panel->setWidth(AphrontPanelView::WIDTH_WIDE);
|
$panel->setWidth(AphrontPanelView::WIDTH_WIDE);
|
||||||
|
|
||||||
$panel->appendChild($form);
|
$panel->appendChild($form);
|
||||||
|
|
|
@ -63,7 +63,7 @@ final class AphrontPanelView extends AphrontView {
|
||||||
|
|
||||||
public function render() {
|
public function render() {
|
||||||
if ($this->header !== null) {
|
if ($this->header !== null) {
|
||||||
$header = '<h1>'.$this->header.'</h1>';
|
$header = phutil_tag('h1', array(), $this->header);
|
||||||
} else {
|
} else {
|
||||||
$header = null;
|
$header = null;
|
||||||
}
|
}
|
||||||
|
@ -79,16 +79,18 @@ final class AphrontPanelView extends AphrontView {
|
||||||
|
|
||||||
$buttons = null;
|
$buttons = null;
|
||||||
if ($this->buttons) {
|
if ($this->buttons) {
|
||||||
$buttons =
|
$buttons = hsprintf(
|
||||||
'<div class="aphront-panel-view-buttons">'.
|
'<div class="aphront-panel-view-buttons">%s</div>',
|
||||||
implode(" ", $this->buttons).
|
phutil_implode_html(" ", $this->buttons));
|
||||||
'</div>';
|
|
||||||
}
|
}
|
||||||
$header_elements =
|
$header_elements = hsprintf(
|
||||||
'<div class="aphront-panel-header">'.
|
'<div class="aphront-panel-header">%s%s%s</div>',
|
||||||
$buttons.$header.$caption.
|
$buttons,
|
||||||
'</div>';
|
$header,
|
||||||
$table = implode('', $this->renderChildren());
|
$caption);
|
||||||
|
|
||||||
|
// TODO: [HTML] Make HTML safe.
|
||||||
|
$table = phutil_safe_html(implode('', $this->renderChildren()));
|
||||||
|
|
||||||
require_celerity_resource('aphront-panel-view-css');
|
require_celerity_resource('aphront-panel-view-css');
|
||||||
|
|
||||||
|
@ -104,8 +106,7 @@ final class AphrontPanelView extends AphrontView {
|
||||||
'class' => implode(' ', $classes),
|
'class' => implode(' ', $classes),
|
||||||
'id' => $this->id,
|
'id' => $this->id,
|
||||||
),
|
),
|
||||||
// TODO: [HTML] Make HTML safe.
|
array($header_elements, $table));
|
||||||
phutil_safe_html($header_elements.$table));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue