Convert PhabricatorTransactionView to safe HTML

Test Plan: Looked at revision detail with comments. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D4915
2025-04-04 08:28:22 +02:00 · 2013-02-11 18:59:30 -08:00 · 2013-02-11 18:59:30 -08:00 · 80fb84bd94
commit 80fb84bd94
parent 868ca71451
8 changed files with 47 additions and 52 deletions
--- a/src/applications/conpherence/controller/ConpherenceController.php
+++ b/src/applications/conpherence/controller/ConpherenceController.php
@ -159,8 +159,7 @@ abstract class ConpherenceController extends PhabricatorController {
        $item->addClass('hide-unread-count');
      }
-      // TODO: [HTML] Clean this up when we clean up HTML stuff in Conpherence.
+      $nav->addCustomBlock($item->render());
      $nav->addCustomBlock(phutil_safe_html($item->render()));
    }
    if (empty($conpherences) || $read) {
      $nav->addCustomBlock($this->getNoConpherencesBlock());
--- a/src/applications/differential/view/DifferentialRevisionCommentView.php
+++ b/src/applications/differential/view/DifferentialRevisionCommentView.php
@ -87,10 +87,9 @@ final class DifferentialRevisionCommentView extends AphrontView {
        $comment,
        PhabricatorInlineCommentInterface::MARKUP_FIELD_BODY);
-      $content =
+      $content = hsprintf(
-        '<div class="phabricator-remarkup">'.
+        '<div class="phabricator-remarkup">%s</div>',
-          $content.
+        $content);
        '</div>';
    }
    $inline_render = $this->renderInlineComments();
@ -208,11 +207,10 @@ final class DifferentialRevisionCommentView extends AphrontView {
    }
    if (!$hide_comments) {
-      $xaction_view->appendChild(
+      $xaction_view->appendChild(hsprintf(
-        '<div class="differential-comment-core">'.
+        '<div class="differential-comment-core">%s%s</div>',
-          $content.
+        $content,
-        '</div>'.
+        $this->renderSingleView($inline_render)));
        $this->renderSingleView($inline_render));
    }
    return $xaction_view->render();
--- a/src/applications/diffusion/query/browse/DiffusionBrowseQuery.php
+++ b/src/applications/diffusion/query/browse/DiffusionBrowseQuery.php
@ -119,8 +119,7 @@ abstract class DiffusionBrowseQuery {
      $readme_content = $highlighter
        ->getHighlightFuture($readme_content)
        ->resolve();
-      $readme_content = nl2br($readme_content);
+      $readme_content = phutil_escape_html_newlines($readme_content);
      $readme_content = phutil_safe_html($readme_content);
      require_celerity_resource('syntax-highlighting-css');
      $class = 'remarkup-code';
--- a/src/applications/diffusion/view/DiffusionCommentView.php
+++ b/src/applications/diffusion/view/DiffusionCommentView.php
@ -139,13 +139,12 @@ final class DiffusionCommentView extends AphrontView {
    if (!strlen($comment->getContent()) && empty($this->inlineComments)) {
      return null;
    } else {
-      return
+      return hsprintf(
-        '<div class="phabricator-remarkup">'.
+        '<div class="phabricator-remarkup">%s%s</div>',
        $engine->getOutput(
          $comment,
-            PhabricatorAuditComment::MARKUP_FIELD_BODY).
+          PhabricatorAuditComment::MARKUP_FIELD_BODY),
-          $this->renderSingleView($this->renderInlines()).
+        $this->renderSingleView($this->renderInlines()));
        '</div>';
    }
  }
--- a/src/applications/maniphest/view/ManiphestTransactionDetailView.php
+++ b/src/applications/maniphest/view/ManiphestTransactionDetailView.php
@ -186,10 +186,10 @@ final class ManiphestTransactionDetailView extends ManiphestView {
      $comment_block = $this->markupEngine->getOutput(
        $comment_transaction,
        ManiphestTransaction::MARKUP_FIELD_BODY);
-      $comment_block =
+      $comment_block = phutil_tag(
-        '<div class="maniphest-transaction-comments phabricator-remarkup">'.
+        'div',
-          $comment_block.
+        array('class' => 'maniphest-transaction-comments phabricator-remarkup'),
-        '</div>';
+        $comment_block);
    } else {
      $comment_block = null;
    }
--- a/src/applications/ponder/view/PonderPostBodyView.php
+++ b/src/applications/ponder/view/PonderPostBodyView.php
@ -64,7 +64,7 @@ final class PonderPostBodyView extends AphrontView {
      $content);
    $author = $this->handles[$target->getAuthorPHID()];
-    $actions = array($author->renderLink().' '.$this->action);
+    $actions = array(hsprintf('%s %s', $author->renderLink(), $this->action));
    $author_link = $author->renderLink();
    $xaction_view = id(new PhabricatorTransactionView())
      ->setUser($user)
--- a/src/view/form/control/AphrontFormCropControl.php
+++ b/src/view/form/control/AphrontFormCropControl.php
@ -29,7 +29,7 @@ final class AphrontFormCropControl extends AphrontFormControl {
    $file = $this->getValue();
    if ($file === null) {
-      return phutil_render_tag(
+      return phutil_tag(
        'img',
        array(
          'src' => PhabricatorUser::getDefaultProfileImageURI()
--- a/src/view/layout/PhabricatorTransactionView.php
+++ b/src/view/layout/PhabricatorTransactionView.php
@ -58,7 +58,7 @@ final class PhabricatorTransactionView extends AphrontView {
    $actions = $this->renderTransactionActions();
    $style = $this->renderTransactionStyle();
    $content = $this->renderTransactionContent();
-    $classes = phutil_escape_html(implode(' ', $this->classes));
+    $classes = implode(' ', $this->classes);
    $transaction_id = $this->anchorName ? 'anchor-'.$this->anchorName : null;
@ -69,15 +69,15 @@ final class PhabricatorTransactionView extends AphrontView {
        'id'    => $transaction_id,
        'style' => $style,
      ),
-      // TODO: [HTML] Make HTML safe.
+      hsprintf(
-      phutil_safe_html(
+        '<div class="phabricator-transaction-detail %s">'.
-        '<div class="phabricator-transaction-detail '.$classes.'">'.
+          '<div class="phabricator-transaction-header">%s%s</div>'.
-          '<div class="phabricator-transaction-header">'.
+          '%s'.
-            $info.
+        '</div>',
-            $actions.
+        $classes,
-          '</div>'.
+        $info,
-          $content.
+        $actions,
-        '</div>'));
+        $content));
  }
@ -107,24 +107,24 @@ final class PhabricatorTransactionView extends AphrontView {
        ->setAnchorName($this->anchorName)
        ->render();
-      $info[] = $anchor.phutil_tag(
+      $info[] = hsprintf(
        '%s%s',
        $anchor,
        phutil_tag(
          'a',
-        array(
+          array('href'  => '#'.$this->anchorName),
-          'href'  => '#'.$this->anchorName,
+          $this->anchorText));
        ),
        $this->anchorText);
    }
-    $info = implode(' &middot; ', $info);
+    $info = phutil_implode_html(" \xC2\xB7 ", $info);
-    return
+    return hsprintf(
-      '<span class="phabricator-transaction-info">'.
+      '<span class="phabricator-transaction-info">%s</span>',
-        $info.
+      $info);
      '</span>';
  }
  private function renderTransactionActions() {
-    return implode('', $this->actions);
+    return phutil_implode_html('', $this->actions);
  }
  private function renderTransactionStyle() {
@ -140,10 +140,10 @@ final class PhabricatorTransactionView extends AphrontView {
    if (!$content) {
      return null;
    }
-    return
+    return phutil_tag(
-      '<div class="phabricator-transaction-content">'.
+      'div',
-        implode('', $content).
+      array('class' => 'phabricator-transaction-content'),
-      '</div>';
+      $this->renderSingleView($content));
  }
 }