mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-30 02:32:42 +01:00
Fix XSS hole in inline comment editing
Summary: Thanks to erling for the report. This was XSSable, although you could only get yourself. Test Plan: Made a comment like "</textarea><h1>" and edited it before and after the patch. Proper behavior with this patch. Reviewed By: aran Reviewers: erling, jungejason, tuomaspelkonen, aran CC: aran Differential Revision: 187
This commit is contained in:
parent
78d33b1771
commit
864e0d8a2f
1 changed files with 1 additions and 1 deletions
|
@ -188,7 +188,7 @@ class DifferentialInlineCommentEditController extends DifferentialController {
|
|||
'class' => 'differential-inline-comment-edit-textarea',
|
||||
'name' => 'text',
|
||||
),
|
||||
$text);
|
||||
phutil_escape_html($text));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue