mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-27 09:12:41 +01:00
Convert AphrontPanelView to safe HTML (except children)
Summary: Fixes some double escaping and potential XSS. Test Plan: Looked at homepage. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2432 Differential Revision: https://secure.phabricator.com/D4917
This commit is contained in:
parent
80fb84bd94
commit
5ad526942b
10 changed files with 24 additions and 25 deletions
|
@ -335,7 +335,7 @@ final class PhabricatorAuditListController extends PhabricatorAuditController {
|
|||
}
|
||||
|
||||
if ($handle) {
|
||||
$handle_name = phutil_escape_html($handle->getName());
|
||||
$handle_name = $handle->getName();
|
||||
} else {
|
||||
$handle_name = null;
|
||||
}
|
||||
|
@ -435,7 +435,7 @@ final class PhabricatorAuditListController extends PhabricatorAuditController {
|
|||
}
|
||||
|
||||
if ($handle) {
|
||||
$handle_name = phutil_escape_html($handle->getName());
|
||||
$handle_name = $handle->getName();
|
||||
} else {
|
||||
$handle_name = null;
|
||||
}
|
||||
|
|
|
@ -109,7 +109,7 @@ final class PhabricatorConduitConsoleController
|
|||
->setValue('Call Method'));
|
||||
|
||||
$panel = new AphrontPanelView();
|
||||
$panel->setHeader('Conduit API: '.phutil_escape_html($this->method));
|
||||
$panel->setHeader('Conduit API: '.$this->method);
|
||||
$panel->appendChild($form);
|
||||
$panel->setWidth(AphrontPanelView::WIDTH_FULL);
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ final class DiffusionBrowseController extends DiffusionController {
|
|||
$title = 'Tag: '.$drequest->getSymbolicCommit();
|
||||
|
||||
$tag_view = new AphrontPanelView();
|
||||
$tag_view->setHeader(phutil_escape_html($title));
|
||||
$tag_view->setHeader($title);
|
||||
$tag_view->appendChild(
|
||||
$this->markupText($drequest->getTagContent()));
|
||||
|
||||
|
|
|
@ -70,7 +70,7 @@ final class DiffusionLintDetailsController extends DiffusionController {
|
|||
|
||||
$content[] = id(new AphrontPanelView())
|
||||
->setHeader(
|
||||
($lint != '' ? phutil_escape_html($lint)." \xC2\xB7 " : '').
|
||||
($lint != '' ? $lint." \xC2\xB7 " : '').
|
||||
pht('%d Lint Message(s)', count($messages)))
|
||||
->setCaption($link)
|
||||
->appendChild($table)
|
||||
|
|
|
@ -68,7 +68,7 @@ final class DiffusionRepositoryController extends DiffusionController {
|
|||
'View Full Commit History');
|
||||
|
||||
$panel = new AphrontPanelView();
|
||||
$panel->setHeader("Recent Commits · {$all}");
|
||||
$panel->setHeader(hsprintf("Recent Commits · %s", $all));
|
||||
$panel->appendChild($history_table);
|
||||
$panel->setNoBackground();
|
||||
|
||||
|
|
|
@ -244,7 +244,7 @@ final class ManiphestReportController extends ManiphestController {
|
|||
));
|
||||
|
||||
if ($handle) {
|
||||
$header = "Task Burn Rate for Project ".$handle->renderLink();
|
||||
$header = pht("Task Burn Rate for Project %s", $handle->renderLink());
|
||||
$caption = hsprintf(
|
||||
"<p>NOTE: This table reflects tasks <em>currently</em> in ".
|
||||
"the project. If a task was opened in the past but added to ".
|
||||
|
|
|
@ -143,8 +143,7 @@ extends PhabricatorAuthController {
|
|||
|
||||
// display time -- make a nice form for the user to grant the client
|
||||
// access to the granularity specified by $scope
|
||||
$name = phutil_escape_html($client->getName());
|
||||
$title = 'Authorize ' . $name . '?';
|
||||
$title = 'Authorize '.$client->getName().'?';
|
||||
$panel = new AphrontPanelView();
|
||||
$panel->setWidth(AphrontPanelView::WIDTH_FORM);
|
||||
$panel->setHeader($title);
|
||||
|
|
|
@ -109,8 +109,7 @@ final class PhabricatorOwnersDetailController
|
|||
));
|
||||
|
||||
$panel = new AphrontPanelView();
|
||||
$panel->setHeader(
|
||||
'Package Details for "'.phutil_escape_html($package->getName()).'"');
|
||||
$panel->setHeader('Package Details for "'.$package->getName().'"');
|
||||
$panel->addButton(
|
||||
javelin_tag(
|
||||
'a',
|
||||
|
@ -200,7 +199,7 @@ final class PhabricatorOwnersDetailController
|
|||
$commit_panels = array();
|
||||
foreach ($commit_views as $commit_view) {
|
||||
$commit_panel = new AphrontPanelView();
|
||||
$commit_panel->setHeader(phutil_escape_html($commit_view['header']));
|
||||
$commit_panel->setHeader($commit_view['header']);
|
||||
if (isset($commit_view['button'])) {
|
||||
$commit_panel->addButton($commit_view['button']);
|
||||
}
|
||||
|
|
|
@ -177,7 +177,7 @@ final class PhabricatorSlowvotePollController
|
|||
|
||||
|
||||
$panel = new AphrontPanelView();
|
||||
$panel->setHeader(phutil_escape_html($poll->getQuestion()));
|
||||
$panel->setHeader($poll->getQuestion());
|
||||
$panel->setWidth(AphrontPanelView::WIDTH_WIDE);
|
||||
|
||||
$panel->appendChild($form);
|
||||
|
|
|
@ -63,7 +63,7 @@ final class AphrontPanelView extends AphrontView {
|
|||
|
||||
public function render() {
|
||||
if ($this->header !== null) {
|
||||
$header = '<h1>'.$this->header.'</h1>';
|
||||
$header = phutil_tag('h1', array(), $this->header);
|
||||
} else {
|
||||
$header = null;
|
||||
}
|
||||
|
@ -79,16 +79,18 @@ final class AphrontPanelView extends AphrontView {
|
|||
|
||||
$buttons = null;
|
||||
if ($this->buttons) {
|
||||
$buttons =
|
||||
'<div class="aphront-panel-view-buttons">'.
|
||||
implode(" ", $this->buttons).
|
||||
'</div>';
|
||||
$buttons = hsprintf(
|
||||
'<div class="aphront-panel-view-buttons">%s</div>',
|
||||
phutil_implode_html(" ", $this->buttons));
|
||||
}
|
||||
$header_elements =
|
||||
'<div class="aphront-panel-header">'.
|
||||
$buttons.$header.$caption.
|
||||
'</div>';
|
||||
$table = implode('', $this->renderChildren());
|
||||
$header_elements = hsprintf(
|
||||
'<div class="aphront-panel-header">%s%s%s</div>',
|
||||
$buttons,
|
||||
$header,
|
||||
$caption);
|
||||
|
||||
// TODO: [HTML] Make HTML safe.
|
||||
$table = phutil_safe_html(implode('', $this->renderChildren()));
|
||||
|
||||
require_celerity_resource('aphront-panel-view-css');
|
||||
|
||||
|
@ -104,8 +106,7 @@ final class AphrontPanelView extends AphrontView {
|
|||
'class' => implode(' ', $classes),
|
||||
'id' => $this->id,
|
||||
),
|
||||
// TODO: [HTML] Make HTML safe.
|
||||
phutil_safe_html($header_elements.$table));
|
||||
array($header_elements, $table));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue