Convert PhabricatorTransactionView to safe HTML

Test Plan: Looked at revision detail with comments. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D4915
2024-12-23 14:00:56 +01:00 · 2013-02-11 18:59:30 -08:00 · 2013-02-11 18:59:30 -08:00 · 80fb84bd94
commit 80fb84bd94
parent 868ca71451
8 changed files with 47 additions and 52 deletions
--- a/src/applications/conpherence/controller/ConpherenceController.php
+++ b/src/applications/conpherence/controller/ConpherenceController.php
@ -159,8 +159,7 @@ abstract class ConpherenceController extends PhabricatorController {
        $item->addClass('hide-unread-count');
      }

-      // TODO: [HTML] Clean this up when we clean up HTML stuff in Conpherence.
-      $nav->addCustomBlock(phutil_safe_html($item->render()));
+      $nav->addCustomBlock($item->render());
    }
    if (empty($conpherences) || $read) {
      $nav->addCustomBlock($this->getNoConpherencesBlock());
--- a/src/applications/differential/view/DifferentialRevisionCommentView.php
+++ b/src/applications/differential/view/DifferentialRevisionCommentView.php
@ -87,10 +87,9 @@ final class DifferentialRevisionCommentView extends AphrontView {
        $comment,
        PhabricatorInlineCommentInterface::MARKUP_FIELD_BODY);

-      $content =
-        '<div class="phabricator-remarkup">'.
-          $content.
-        '</div>';
+      $content = hsprintf(
+        '<div class="phabricator-remarkup">%s</div>',
+        $content);
    }

    $inline_render = $this->renderInlineComments();
@ -208,11 +207,10 @@ final class DifferentialRevisionCommentView extends AphrontView {
    }

    if (!$hide_comments) {
-      $xaction_view->appendChild(
-        '<div class="differential-comment-core">'.
-          $content.
-        '</div>'.
-        $this->renderSingleView($inline_render));
+      $xaction_view->appendChild(hsprintf(
+        '<div class="differential-comment-core">%s%s</div>',
+        $content,
+        $this->renderSingleView($inline_render)));
    }

    return $xaction_view->render();
--- a/src/applications/diffusion/query/browse/DiffusionBrowseQuery.php
+++ b/src/applications/diffusion/query/browse/DiffusionBrowseQuery.php
@ -119,8 +119,7 @@ abstract class DiffusionBrowseQuery {
      $readme_content = $highlighter
        ->getHighlightFuture($readme_content)
        ->resolve();
-      $readme_content = nl2br($readme_content);
-      $readme_content = phutil_safe_html($readme_content);
+      $readme_content = phutil_escape_html_newlines($readme_content);

      require_celerity_resource('syntax-highlighting-css');
      $class = 'remarkup-code';
--- a/src/applications/diffusion/view/DiffusionCommentView.php
+++ b/src/applications/diffusion/view/DiffusionCommentView.php
@ -139,13 +139,12 @@ final class DiffusionCommentView extends AphrontView {
    if (!strlen($comment->getContent()) && empty($this->inlineComments)) {
      return null;
    } else {
-      return
-        '<div class="phabricator-remarkup">'.
-          $engine->getOutput(
-            $comment,
-            PhabricatorAuditComment::MARKUP_FIELD_BODY).
-          $this->renderSingleView($this->renderInlines()).
-        '</div>';
+      return hsprintf(
+        '<div class="phabricator-remarkup">%s%s</div>',
+        $engine->getOutput(
+          $comment,
+          PhabricatorAuditComment::MARKUP_FIELD_BODY),
+        $this->renderSingleView($this->renderInlines()));
    }
  }

--- a/src/applications/maniphest/view/ManiphestTransactionDetailView.php
+++ b/src/applications/maniphest/view/ManiphestTransactionDetailView.php
@ -186,10 +186,10 @@ final class ManiphestTransactionDetailView extends ManiphestView {
      $comment_block = $this->markupEngine->getOutput(
        $comment_transaction,
        ManiphestTransaction::MARKUP_FIELD_BODY);
-      $comment_block =
-        '<div class="maniphest-transaction-comments phabricator-remarkup">'.
-          $comment_block.
-        '</div>';
+      $comment_block = phutil_tag(
+        'div',
+        array('class' => 'maniphest-transaction-comments phabricator-remarkup'),
+        $comment_block);
    } else {
      $comment_block = null;
    }
--- a/src/applications/ponder/view/PonderPostBodyView.php
+++ b/src/applications/ponder/view/PonderPostBodyView.php
@ -64,7 +64,7 @@ final class PonderPostBodyView extends AphrontView {
      $content);

    $author = $this->handles[$target->getAuthorPHID()];
-    $actions = array($author->renderLink().' '.$this->action);
+    $actions = array(hsprintf('%s %s', $author->renderLink(), $this->action));
    $author_link = $author->renderLink();
    $xaction_view = id(new PhabricatorTransactionView())
      ->setUser($user)
--- a/src/view/form/control/AphrontFormCropControl.php
+++ b/src/view/form/control/AphrontFormCropControl.php
@ -29,7 +29,7 @@ final class AphrontFormCropControl extends AphrontFormControl {
    $file = $this->getValue();

    if ($file === null) {
-      return phutil_render_tag(
+      return phutil_tag(
        'img',
        array(
          'src' => PhabricatorUser::getDefaultProfileImageURI()
--- a/src/view/layout/PhabricatorTransactionView.php
+++ b/src/view/layout/PhabricatorTransactionView.php
@ -58,7 +58,7 @@ final class PhabricatorTransactionView extends AphrontView {
    $actions = $this->renderTransactionActions();
    $style = $this->renderTransactionStyle();
    $content = $this->renderTransactionContent();
-    $classes = phutil_escape_html(implode(' ', $this->classes));
+    $classes = implode(' ', $this->classes);

    $transaction_id = $this->anchorName ? 'anchor-'.$this->anchorName : null;

@ -69,15 +69,15 @@ final class PhabricatorTransactionView extends AphrontView {
        'id'    => $transaction_id,
        'style' => $style,
      ),
-      // TODO: [HTML] Make HTML safe.
-      phutil_safe_html(
-        '<div class="phabricator-transaction-detail '.$classes.'">'.
-          '<div class="phabricator-transaction-header">'.
-            $info.
-            $actions.
-          '</div>'.
-          $content.
-        '</div>'));
+      hsprintf(
+        '<div class="phabricator-transaction-detail %s">'.
+          '<div class="phabricator-transaction-header">%s%s</div>'.
+          '%s'.
+        '</div>',
+        $classes,
+        $info,
+        $actions,
+        $content));

  }

@ -107,24 +107,24 @@ final class PhabricatorTransactionView extends AphrontView {
        ->setAnchorName($this->anchorName)
        ->render();

-      $info[] = $anchor.phutil_tag(
-        'a',
-        array(
-          'href'  => '#'.$this->anchorName,
-        ),
-        $this->anchorText);
+      $info[] = hsprintf(
+        '%s%s',
+        $anchor,
+        phutil_tag(
+          'a',
+          array('href'  => '#'.$this->anchorName),
+          $this->anchorText));
    }

-    $info = implode(' &middot; ', $info);
+    $info = phutil_implode_html(" \xC2\xB7 ", $info);

-    return
-      '<span class="phabricator-transaction-info">'.
-        $info.
-      '</span>';
+    return hsprintf(
+      '<span class="phabricator-transaction-info">%s</span>',
+      $info);
  }

  private function renderTransactionActions() {
-    return implode('', $this->actions);
+    return phutil_implode_html('', $this->actions);
  }

  private function renderTransactionStyle() {
@ -140,10 +140,10 @@ final class PhabricatorTransactionView extends AphrontView {
    if (!$content) {
      return null;
    }
-    return
-      '<div class="phabricator-transaction-content">'.
-        implode('', $content).
-      '</div>';
+    return phutil_tag(
+      'div',
+      array('class' => 'phabricator-transaction-content'),
+      $this->renderSingleView($content));
  }

 }