Convert AphrontTableView to safe HTML

Summary: Lots of killed `phutil_escape_html()`. Done by searching for `AphrontTableView` and then `$rows` (usually) backwards. Test Plan: Looked at homepage. echo id(new AphrontTableView(array(array('<'))))->render(); Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D4884
2024-11-23 15:22:41 +01:00 · 2013-02-09 12:10:16 -08:00 · 2013-02-09 12:10:16 -08:00 · 9b8da73765
commit 9b8da73765
parent 58b6e2cac6
53 changed files with 206 additions and 262 deletions
--- a/src/aphront/configuration/AphrontDefaultApplicationConfiguration.php
+++ b/src/aphront/configuration/AphrontDefaultApplicationConfiguration.php
@ -349,7 +349,7 @@ class AphrontDefaultApplicationConfiguration
            ),
            $relative);
        }
-        $file_name = $file_name.' : '.(int)$part['line'];
+        $file_name = hsprintf('%s : %d', $file_name, $part['line']);
      } else {
        $file_name = phutil_tag('em', array(), '(Internal)');
      }
@ -357,9 +357,9 @@ class AphrontDefaultApplicationConfiguration

      $rows[] = array(
        $depth--,
-        phutil_escape_html($lib),
+        $lib,
        $file_name,
-        phutil_escape_html($where),
+        $where,
      );
    }
    $table = new AphrontTableView($rows);
@ -383,7 +383,7 @@ class AphrontDefaultApplicationConfiguration
        '<div class="exception-trace-header">Stack Trace</div>'.
        '%s',
      '</div>',
-      phutil_safe_html($table->render()));
+      $table->render());
  }

 }
--- a/src/aphront/console/plugin/DarkConsoleEventPlugin.php
+++ b/src/aphront/console/plugin/DarkConsoleEventPlugin.php
@ -49,10 +49,7 @@ final class DarkConsoleEventPlugin extends DarkConsolePlugin {

    $rows = array();
    foreach ($data['listeners'] as $listener) {
-      $rows[] = array(
-        phutil_escape_html($listener['id']),
-        phutil_escape_html($listener['class']),
-      );
+      $rows[] = array($listener['id'], $listener['class']);
    }

    $table = new AphrontTableView($rows);
@ -77,7 +74,7 @@ final class DarkConsoleEventPlugin extends DarkConsolePlugin {
    $rows = array();
    foreach ($data['events'] as $event) {
      $rows[] = array(
-        phutil_escape_html($event['type']),
+        $event['type'],
        $event['stopped'] ? 'STOPPED' : null,
      );
    }
--- a/src/aphront/console/plugin/DarkConsoleRequestPlugin.php
+++ b/src/aphront/console/plugin/DarkConsoleRequestPlugin.php
@ -43,8 +43,8 @@ final class DarkConsoleRequestPlugin extends DarkConsolePlugin {
      $rows = array();
      foreach ($map as $key => $value) {
        $rows[] = array(
-          phutil_escape_html($key),
-          phutil_escape_html(is_array($value) ? json_encode($value) : $value),
+          $key,
+          (is_array($value) ? json_encode($value) : $value),
        );
      }

--- a/src/aphront/console/plugin/DarkConsoleServicesPlugin.php
+++ b/src/aphront/console/plugin/DarkConsoleServicesPlugin.php
@ -224,23 +224,18 @@ final class DarkConsoleServicesPlugin extends DarkConsolePlugin {
              $row['explain']['reason']);
          }

-          $info = phutil_escape_html($info);
          break;
        case 'connect':
          $info = $row['host'].':'.$row['database'];
-          $info = phutil_escape_html($info);
          break;
        case 'exec':
          $info = $row['command'];
-          $info = phutil_escape_html($info);
          break;
        case 'conduit':
          $info = $row['method'];
-          $info = phutil_escape_html($info);
          break;
        case 'http':
          $info = $row['uri'];
-          $info = phutil_escape_html($info);
          break;
        default:
          $info = '-';
@ -248,7 +243,7 @@ final class DarkConsoleServicesPlugin extends DarkConsolePlugin {
      }

      $rows[] = array(
-        phutil_escape_html($row['type']),
+        $row['type'],
        '+'.number_format(1000 * ($row['begin'] - $data['start'])).' ms',
        number_format(1000000 * $row['duration']).' us',
        $info,
--- a/src/applications/audit/view/PhabricatorAuditCommitListView.php
+++ b/src/applications/audit/view/PhabricatorAuditCommitListView.php
@ -70,10 +70,10 @@ final class PhabricatorAuditCommitListView extends AphrontView {
      $rows[] = array(
        $commit_name,
        $author_name,
-        phutil_escape_html($commit->getCommitData()->getSummary()),
+        $commit->getCommitData()->getSummary(),
        PhabricatorAuditCommitStatusConstants::getStatusName(
          $commit->getAuditStatus()),
-        implode(', ', $auditors),
+        array_interleave(', ', $auditors),
        phabricator_datetime($commit->getEpoch(), $this->user),
      );
    }
--- a/src/applications/audit/view/PhabricatorAuditListView.php
+++ b/src/applications/audit/view/PhabricatorAuditListView.php
@ -129,10 +129,7 @@ final class PhabricatorAuditListView extends AphrontView {
      }

      $reasons = $audit->getAuditReasons();
-      foreach ($reasons as $key => $reason) {
-        $reasons[$key] = phutil_escape_html($reason);
-      }
-      $reasons = implode('<br />', $reasons);
+      $reasons = array_interleave(phutil_tag('br'), $reasons);

      $status_code = $audit->getAuditStatus();
      $status = PhabricatorAuditStatusConstants::getStatusName($status_code);
@ -140,10 +137,10 @@ final class PhabricatorAuditListView extends AphrontView {
      $auditor_handle = $this->getHandle($audit->getAuditorPHID());
      $rows[] = array(
        $commit_name,
-        phutil_escape_html($commit_desc),
+        $commit_desc,
        $committed,
        $auditor_handle->renderLink(),
-        phutil_escape_html($status),
+        $status,
        $reasons,
      );

--- a/src/applications/auth/controller/PhabricatorOAuthDiagnosticsController.php
+++ b/src/applications/auth/controller/PhabricatorOAuthDiagnosticsController.php
@ -21,11 +21,11 @@ final class PhabricatorOAuthDiagnosticsController
    $client_id      = $provider->getClientID();
    $client_secret  = $provider->getClientSecret();
    $key            = $provider->getProviderKey();
-    $name           = phutil_escape_html($provider->getProviderName());
+    $name           = $provider->getProviderName();

-    $res_ok = '<strong style="color: #00aa00;">OK</strong>';
-    $res_no = '<strong style="color: #aa0000;">NO</strong>';
-    $res_na = '<strong style="color: #999999;">N/A</strong>';
+    $res_ok = hsprintf('<strong style="color: #00aa00;">OK</strong>');
+    $res_no = hsprintf('<strong style="color: #aa0000;">NO</strong>');
+    $res_na = hsprintf('<strong style="color: #999999;">N/A</strong>');

    $results = array();
    $auth_key = $key . '.auth-enabled';
@ -159,10 +159,10 @@ final class PhabricatorOAuthDiagnosticsController
    $rows = array();
    foreach ($results as $key => $result) {
      $rows[] = array(
-        phutil_escape_html($key),
+        $key,
        $result[0],
-        phutil_escape_html($result[1]),
-        phutil_escape_html($result[2]),
+        $result[1],
+        $result[2],
      );
    }

--- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
@ -346,7 +346,7 @@ final class PhabricatorConduitAPIController
    if ($request) {
      foreach ($request->getAllParameters() as $key => $value) {
        $param_rows[] = array(
-          phutil_escape_html($key),
+          $key,
          $this->renderAPIValue($value),
        );
      }
@ -362,7 +362,7 @@ final class PhabricatorConduitAPIController
    $result_rows = array();
    foreach ($result as $key => $value) {
      $result_rows[] = array(
-        phutil_escape_html($key),
+        $key,
        $this->renderAPIValue($value),
      );
    }
--- a/src/applications/conduit/controller/PhabricatorConduitLogController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitLogController.php
@ -65,9 +65,9 @@ final class PhabricatorConduitLogController
      }
      $rows[] = array(
        $call->getConnectionID(),
-        phutil_escape_html($conn->getUserName()),
-        phutil_escape_html($call->getMethod()),
-        phutil_escape_html($call->getError()),
+        $conn->getUserName(),
+        $call->getMethod(),
+        $call->getError(),
        number_format($call->getDuration()).' us',
        phabricator_datetime($call->getDateCreated(), $user),
      );
--- a/src/applications/config/controller/PhabricatorConfigAllController.php
+++ b/src/applications/config/controller/PhabricatorConfigAllController.php
@ -14,13 +14,12 @@ final class PhabricatorConfigAllController
      $key = $option->getKey();

      if ($option->getMasked()) {
-        $value = '<em>'.pht('Masked').'</em>';
+        $value = phutil_tag('em', array(), pht('Masked'));
      } else if ($option->getHidden()) {
-        $value = '<em>'.pht('Hidden').'</em>';
+        $value = phutil_tag('em', array(), pht('Hidden'));
      } else {
        $value = PhabricatorEnv::getEnvConfig($key);
        $value = PhabricatorConfigJSON::prettyPrintJSON($value);
-        $value = phutil_escape_html($value);
      }

      $rows[] = array(
--- a/src/applications/conpherence/controller/ConpherenceViewController.php
+++ b/src/applications/conpherence/controller/ConpherenceViewController.php
@ -283,7 +283,7 @@ final class ConpherenceViewController extends
            'src' => $thumb
          ),
          ''),
-        phutil_escape_html($file->getName()),
+        $file->getName(),
      );
    }
    $header = id(new PhabricatorHeaderView())
--- a/src/applications/countdown/controller/PhabricatorCountdownListController.php
+++ b/src/applications/countdown/controller/PhabricatorCountdownListController.php
@ -46,7 +46,7 @@ final class PhabricatorCountdownListController
          'Delete');
      }
      $rows[] = array(
-        phutil_escape_html($timer->getID()),
+        $timer->getID(),
        $handles[$timer->getAuthorPHID()]->renderLink(),
        phutil_tag(
          'a',
--- a/src/applications/daemon/controller/PhabricatorDaemonConsoleController.php
+++ b/src/applications/daemon/controller/PhabricatorDaemonConsoleController.php
@ -30,7 +30,7 @@ final class PhabricatorDaemonConsoleController
    $rows = array();
    foreach ($completed_info as $class => $info) {
      $rows[] = array(
-        phutil_escape_html($class),
+        $class,
        number_format($info['n']),
        number_format((int)($info['duration'] / $info['n'])).' us',
      );
@ -127,7 +127,7 @@ final class PhabricatorDaemonConsoleController
    $rows = array();
    foreach ($queued as $row) {
      $rows[] = array(
-        phutil_escape_html($row['taskClass']),
+        $row['taskClass'],
        number_format($row['N']),
      );
    }
--- a/src/applications/daemon/view/PhabricatorDaemonLogEventsView.php
+++ b/src/applications/daemon/view/PhabricatorDaemonLogEventsView.php
@ -60,7 +60,7 @@ final class PhabricatorDaemonLogEventsView extends AphrontView {
      }

      $row = array(
-        phutil_escape_html($event->getLogType()),
+        $event->getLogType(),
        phabricator_date($event->getEpoch(), $this->user),
        phabricator_time($event->getEpoch(), $this->user),
        phutil_escape_html_newlines($message.$more),
--- a/src/applications/daemon/view/PhabricatorDaemonLogListView.php
+++ b/src/applications/daemon/view/PhabricatorDaemonLogListView.php
@ -76,8 +76,8 @@ final class PhabricatorDaemonLogListView extends AphrontView {

      $rows[] = array(
        $running,
-        phutil_escape_html($log->getDaemon()),
-        phutil_escape_html($log->getHost()),
+        $log->getDaemon(),
+        $log->getHost(),
        $log->getPID(),
        phabricator_date($epoch, $this->user),
        phabricator_time($epoch, $this->user),
--- a/src/applications/differential/field/specification/DifferentialReviewersFieldSpecification.php
+++ b/src/applications/differential/field/specification/DifferentialReviewersFieldSpecification.php
@ -146,7 +146,7 @@ final class DifferentialReviewersFieldSpecification
          $names[] = phutil_escape_html(
            $this->getHandle($reviewer)->getLinkName());
        }
-        $suffix = ' '.javelin_tag(
+        $suffix = javelin_tag(
          'abbr',
          array(
            'sigil' => 'has-tooltip',
@ -159,9 +159,12 @@ final class DifferentialReviewersFieldSpecification
      } else {
        $suffix = null;
      }
-      return $this->getHandle($primary_reviewer)->renderLink().$suffix;
+      return hsprintf(
+        '%s %s',
+        $this->getHandle($primary_reviewer)->renderLink(),
+        $suffix);
    } else {
-      return '<em>None</em>';
+      return phutil_tag('em', array(), 'None');
    }
  }

--- a/src/applications/differential/view/DifferentialRevisionListView.php
+++ b/src/applications/differential/view/DifferentialRevisionListView.php
@ -128,18 +128,18 @@ final class DifferentialRevisionListView extends AphrontView {

      } else if (array_key_exists($revision->getID(), $this->drafts)) {
        $src = '/rsrc/image/icon/fatcow/page_white_edit.png';
-        $flag =
-          '<a href="/D'.$revision->getID().'#comment-preview">'.
-            phutil_tag(
-              'img',
-              array(
-                'src' => celerity_get_resource_uri($src),
-                'width' => 16,
-                'height' => 16,
-                'alt' => 'Draft',
-                'title' => pht('Draft Comment'),
-              )).
-            '</a>';
+        $flag = hsprintf(
+          '<a href="%s">%s</a>',
+          '/D'.$revision->getID().'#comment-preview',
+          phutil_tag(
+            'img',
+            array(
+              'src' => celerity_get_resource_uri($src),
+              'width' => 16,
+              'height' => 16,
+              'alt' => 'Draft',
+              'title' => pht('Draft Comment'),
+            )));
      }

      $row = array($flag);
--- a/src/applications/diffusion/controller/DiffusionExternalController.php
+++ b/src/applications/diffusion/controller/DiffusionExternalController.php
@ -103,7 +103,7 @@ final class DiffusionExternalController extends DiffusionController {
              'href' => $href,
            ),
              'r'.$repo->getCallsign().$commit->getCommitIdentifier()),
-          phutil_escape_html($commit->loadCommitData()->getSummary()),
+          $commit->loadCommitData()->getSummary(),
        );
      }

--- a/src/applications/diffusion/controller/DiffusionHomeController.php
+++ b/src/applications/diffusion/controller/DiffusionHomeController.php
@ -19,7 +19,7 @@ final class DiffusionHomeController extends DiffusionController {
              'href' => $shortcut->getHref(),
            ),
            $shortcut->getName()),
-          phutil_escape_html($shortcut->getDescription()),
+          $shortcut->getDescription(),
        );
      }

@ -130,7 +130,7 @@ final class DiffusionHomeController extends DiffusionController {
            'href' => '/diffusion/'.$repository->getCallsign().'/',
          ),
          $repository->getName()),
-        phutil_escape_html($repository->getDetail('description')),
+        $repository->getDetail('description'),
        PhabricatorRepositoryType::getNameForRepositoryType(
          $repository->getVersionControlSystem()),
        $size,
--- a/src/applications/diffusion/controller/DiffusionLintController.php
+++ b/src/applications/diffusion/controller/DiffusionLintController.php
@ -71,11 +71,10 @@ final class DiffusionLintController extends DiffusionController {
          '<a href="%s">%s</a>',
          $drequest->generateURI(array('action' => 'lint')),
          $drequest->getCallsign()),
-        phutil_escape_html(ArcanistLintSeverity::getStringForSeverity(
-          $code['maxSeverity'])),
-        phutil_escape_html($code['code']),
-        phutil_escape_html($code['maxName']),
-        phutil_escape_html($code['maxDescription']),
+        ArcanistLintSeverity::getStringForSeverity($code['maxSeverity']),
+        $code['code'],
+        $code['maxName'],
+        $code['maxDescription'],
      );
    }

--- a/src/applications/diffusion/controller/DiffusionLintDetailsController.php
+++ b/src/applications/diffusion/controller/DiffusionLintDetailsController.php
@ -34,10 +34,9 @@ final class DiffusionLintDetailsController extends DiffusionController {
      $rows[] = array(
        $path,
        $line,
-        phutil_escape_html(ArcanistLintSeverity::getStringForSeverity(
-          $message['severity'])),
-        phutil_escape_html($message['name']),
-        phutil_escape_html($message['description']),
+        ArcanistLintSeverity::getStringForSeverity($message['severity']),
+        $message['name'],
+        $message['description'],
      );
    }

--- a/src/applications/diffusion/controller/DiffusionRepositoryController.php
+++ b/src/applications/diffusion/controller/DiffusionRepositoryController.php
@ -125,9 +125,7 @@ final class DiffusionRepositoryController extends DiffusionController {

    $rows = array();
    foreach ($properties as $key => $value) {
-      $rows[] = array(
-        phutil_escape_html($key),
-        phutil_escape_html($value));
+      $rows[] = array($key, $value);
    }

    $table = new AphrontTableView($rows);
--- a/src/applications/diffusion/controller/DiffusionSymbolController.php
+++ b/src/applications/diffusion/controller/DiffusionSymbolController.php
@ -81,8 +81,8 @@ final class DiffusionSymbolController extends DiffusionController {
        $project_name = '-';
      }

-      $file = phutil_escape_html($symbol->getPath());
-      $line = phutil_escape_html($symbol->getLineNumber());
+      $file = $symbol->getPath();
+      $line = $symbol->getLineNumber();

      $repo = $symbol->getRepository();
      if ($repo) {
@ -101,17 +101,17 @@ final class DiffusionSymbolController extends DiffusionController {
          ),
          $file.':'.$line);
      } else if ($file) {
-        $location = phutil_escape_html($file.':'.$line);
+        $location = $file.':'.$line;
      } else {
        $location = '?';
      }

      $rows[] = array(
-        phutil_escape_html($symbol->getSymbolType()),
-        phutil_escape_html($symbol->getSymbolContext()),
-        phutil_escape_html($symbol->getSymbolName()),
-        phutil_escape_html($symbol->getSymbolLanguage()),
-        phutil_escape_html($project_name),
+        $symbol->getSymbolType(),
+        $symbol->getSymbolContext(),
+        $symbol->getSymbolName(),
+        $symbol->getSymbolLanguage(),
+        $project_name,
        $location,
      );
    }
--- a/src/applications/diffusion/view/DiffusionBrowseTableView.php
+++ b/src/applications/diffusion/view/DiffusionBrowseTableView.php
@ -55,7 +55,7 @@ final class DiffusionBrowseTableView extends DiffusionView {
          $committer = self::renderName($committer);
        }
        if ($author != $committer) {
-          $author .= '/'.$committer;
+          $author = hsprintf('%s/%s', $author, $committer);
        }
      }

@ -132,24 +132,17 @@ final class DiffusionBrowseTableView extends DiffusionView {
        $browse_text = $path->getPath().'/';
        $dir_slash = '/';

-        $browse_link = '<strong>'.$this->linkBrowse(
+        $browse_link = phutil_tag('strong', array(), $this->linkBrowse(
          $base_path.$path->getPath().$dir_slash,
          array(
-            'text' => $this->renderPathIcon(
-              'dir',
-              $browse_text),
-          )).'</strong>';
+            'text' => $this->renderPathIcon('dir', $browse_text),
+          )));
      } else if ($file_type == DifferentialChangeType::FILE_SUBMODULE) {
        $browse_text = $path->getPath().'/';
-        $browse_link =
-          '<strong>'.
-            $this->linkExternal(
-              $path->getHash(),
-              $path->getExternalURI(),
-              $this->renderPathIcon(
-                'ext',
-                $browse_text)).
-          '</strong>';
+        $browse_link = phutil_tag('strong', array(), $this->linkExternal(
+          $path->getHash(),
+          $path->getExternalURI(),
+          $this->renderPathIcon('ext', $browse_text)));
      } else {
        if ($file_type == DifferentialChangeType::FILE_SYMLINK) {
          $type = 'link';
@ -190,7 +183,7 @@ final class DiffusionBrowseTableView extends DiffusionView {

        $need_pull[$uri] = $dict;
        foreach ($dict as $k => $uniq) {
-          $dict[$k] = '<span id="'.$uniq.'"></span>';
+          $dict[$k] = phutil_tag('span', array('id' => $uniq), '');
        }
      }

--- a/src/applications/diffusion/view/DiffusionCommitChangeTableView.php
+++ b/src/applications/diffusion/view/DiffusionCommitChangeTableView.php
@ -51,7 +51,7 @@ final class DiffusionCommitChangeTableView extends DiffusionView {
          ),
          $path);
      } else {
-        $path_column = phutil_escape_html($path);
+        $path_column = $path;
      }

      $rows[] = array(
--- a/src/applications/diffusion/view/DiffusionHistoryTableView.php
+++ b/src/applications/diffusion/view/DiffusionHistoryTableView.php
@ -107,7 +107,7 @@ final class DiffusionHistoryTableView extends DiffusionView {
        } else {
          $committer = self::renderName($committer);
        }
-        $author .= '/'.$committer;
+        $author = hsprintf('%s/%s', $author, $committer);
      }

      $commit = $history->getCommit();
@ -118,7 +118,7 @@ final class DiffusionHistoryTableView extends DiffusionView {
          $path = null,
          $history->getCommitIdentifier());
      } else {
-        $change = "<em>Importing\xE2\x80\xA6</em>";
+        $change = phutil_tag('em', array(), "Importing\xE2\x80\xA6");
      }

      $rows[] = array(
--- a/src/applications/diffusion/view/DiffusionTagListView.php
+++ b/src/applications/diffusion/view/DiffusionTagListView.php
@ -79,7 +79,6 @@ final class DiffusionTagListView extends DiffusionView {
          $description = $tag->getDescription();
        }
      }
-      $description = phutil_escape_html($description);

      $rows[] = array(
        $tag_link,
--- a/src/applications/diffusion/view/DiffusionView.php
+++ b/src/applications/diffusion/view/DiffusionView.php
@ -156,7 +156,7 @@ abstract class DiffusionView extends AphrontView {
        ),
        $email->getDisplayName());
    }
-    return phutil_escape_html($name);
+    return hsprintf('%s', $name);
  }

 }
--- a/src/applications/drydock/controller/DrydockController.php
+++ b/src/applications/drydock/controller/DrydockController.php
@ -44,7 +44,7 @@ abstract class DrydockController extends PhabricatorController {
            'href' => $lease_uri,
          ),
          $log->getLeaseID()),
-        phutil_escape_html($log->getMessage()),
+        $log->getMessage(),
        phabricator_date($log->getEpoch(), $user),
      );
    }
--- a/src/applications/fact/controller/PhabricatorFactHomeController.php
+++ b/src/applications/fact/controller/PhabricatorFactHomeController.php
@ -32,10 +32,7 @@ final class PhabricatorFactHomeController extends PhabricatorFactController {
      $name = $spec->getName();
      $value = $spec->formatValueForDisplay($user, $fact->getValueX());

-      $rows[] = array(
-        phutil_escape_html($name),
-        phutil_escape_html($value),
-      );
+      $rows[] = array($name, $value);
    }

    $table = new AphrontTableView($rows);
--- a/src/applications/flag/view/PhabricatorFlagListView.php
+++ b/src/applications/flag/view/PhabricatorFlagListView.php
@ -27,7 +27,7 @@ final class PhabricatorFlagListView extends AphrontView {
          ),
          ''),
        $flag->getHandle()->renderLink(),
-        phutil_escape_html($flag->getNote()),
+        $flag->getNote(),
        phabricator_datetime($flag->getDateCreated(), $user),
        phabricator_form(
          $user,
--- a/src/applications/herald/controller/HeraldTranscriptController.php
+++ b/src/applications/herald/controller/HeraldTranscriptController.php
@ -301,8 +301,8 @@ final class HeraldTranscriptController extends HeraldController {
      }

      $rows[] = array(
-        phutil_escape_html($action_names[$apply_xscript->getAction()]),
-        phutil_escape_html($target),
+        $action_names[$apply_xscript->getAction()],
+        $target,
        hsprintf(
          '<strong>Taken because:</strong> %s<br />'.
            '<strong>Outcome:</strong> %s %s',
@ -487,15 +487,10 @@ final class HeraldTranscriptController extends HeraldController {
              'class' => 'herald-field-value-transcript',
            ),
            $value);
-        } else {
-          $value = phutil_escape_html($value);
        }
      }

-      $rows[] = array(
-        phutil_escape_html($name),
-        $value,
-      );
+      $rows[] = array($name, $value);
    }

    $table = new AphrontTableView($rows);
--- a/src/applications/mailinglists/controller/PhabricatorMailingListsListController.php
+++ b/src/applications/mailinglists/controller/PhabricatorMailingListsListController.php
@ -31,8 +31,8 @@ final class PhabricatorMailingListsListController
    $rows = array();
    foreach ($lists as $list) {
      $rows[] = array(
-        phutil_escape_html($list->getName()),
-        phutil_escape_html($list->getEmail()),
+        $list->getName(),
+        $list->getEmail(),
        phutil_tag(
          'a',
          array(
--- a/src/applications/maniphest/controller/ManiphestReportController.php
+++ b/src/applications/maniphest/controller/ManiphestReportController.php
@ -363,9 +363,9 @@ final class ManiphestReportController extends ManiphestController {
    $fmt = number_format($delta);
    if ($delta > 0) {
      $fmt = '+'.$fmt;
-      $fmt = '<span class="red">'.$fmt.'</span>';
+      $fmt = hsprintf('<span class="red">%s</span>', $fmt);
    } else {
-      $fmt = '<span class="green">'.$fmt.'</span>';
+      $fmt = hsprintf('<span class="green">%s</span>', $fmt);
    }

    return array(
--- a/src/applications/maniphest/controller/ManiphestSavedQueryListController.php
+++ b/src/applications/maniphest/controller/ManiphestSavedQueryListController.php
@ -81,7 +81,7 @@ final class ManiphestSavedQueryListController extends ManiphestController {
          'value'     => 0,
          'checked'   => ($default === null ? 'checked' : null),
        )),
-      '<em>No Default</em>',
+      phutil_tag('em', array(), 'No Default'),
      '',
      '',
    );
--- a/src/applications/metamta/controller/PhabricatorMetaMTAListController.php
+++ b/src/applications/metamta/controller/PhabricatorMetaMTAListController.php
@ -67,7 +67,7 @@ final class PhabricatorMetaMTAListController
        phabricator_datetime($mail->getDateCreated(), $user),
        phabricator_format_relative_time_detailed(
          time() - $mail->getDateModified()),
-        phutil_escape_html($mail->getSubject()),
+        $mail->getSubject(),
        phutil_tag(
          'a',
          array(
--- a/src/applications/metamta/controller/PhabricatorMetaMTAReceivedListController.php
+++ b/src/applications/metamta/controller/PhabricatorMetaMTAReceivedListController.php
@ -38,7 +38,7 @@ final class PhabricatorMetaMTAReceivedListController
        $mail->getRelatedPHID()
          ? $handles[$mail->getRelatedPHID()]->renderLink()
          : '-',
-        phutil_escape_html($mail->getMessage()),
+        $mail->getMessage(),
      );
    }

--- a/src/applications/notification/controller/PhabricatorNotificationStatusController.php
+++ b/src/applications/notification/controller/PhabricatorNotificationStatusController.php
@ -45,22 +45,19 @@ final class PhabricatorNotificationStatusController

    $rows = array();
    foreach ($status as $key => $value) {
-      $label = phutil_escape_html($key);
-
      switch ($key) {
        case 'uptime':
          $value /= 1000;
          $value = phabricator_format_relative_time_detailed($value);
          break;
        case 'log':
-          $value = phutil_escape_html($value);
          break;
        default:
-          $value = phutil_escape_html(number_format($value));
+          $value = number_format($value);
          break;
      }

-      $rows[] = array($label, $value);
+      $rows[] = array($key, $value);
    }

    $table = new AphrontTableView($rows);
--- a/src/applications/owners/controller/PhabricatorOwnersDetailController.php
+++ b/src/applications/owners/controller/PhabricatorOwnersDetailController.php
@ -47,32 +47,25 @@ final class PhabricatorOwnersDetailController

    $rows = array();

-    $rows[] = array(
-      'Name',
-      phutil_escape_html($package->getName()));
-    $rows[] = array(
-      'Description',
-      phutil_escape_html($package->getDescription()));
+    $rows[] = array('Name', $package->getName());
+    $rows[] = array('Description', $package->getDescription());

    $primary_owner = null;
    $primary_phid = $package->getPrimaryOwnerPHID();
    if ($primary_phid && isset($handles[$primary_phid])) {
-      $primary_owner =
-        '<strong>'.$handles[$primary_phid]->renderLink().'</strong>';
+      $primary_owner = phutil_tag(
+        'strong',
+        array(),
+        $handles[$primary_phid]->renderLink());
    }
-    $rows[] = array(
-      'Primary Owner',
-      $primary_owner,
-      );
+    $rows[] = array('Primary Owner', $primary_owner);

    $owner_links = array();
    foreach ($owners as $owner) {
      $owner_links[] = $handles[$owner->getUserPHID()]->renderLink();
    }
-    $owner_links = implode('<br />', $owner_links);
-    $rows[] = array(
-      'Owners',
-      $owner_links);
+    $owner_links = array_interleave(phutil_tag('br'), $owner_links);
+    $rows[] = array('Owners', $owner_links);

    $rows[] = array(
      'Auditing',
@ -99,14 +92,14 @@ final class PhabricatorOwnersDetailController
          'href' => (string) $href,
        ),
        $path->getPath());
-      $path_links[] =
-        ($path->getExcluded() ? '&ndash;' : '+').' '.
-        $repo_name.' '.$path_link;
+      $path_links[] = hsprintf(
+        '%s %s %s',
+        ($path->getExcluded() ? "\xE2\x80\x93" : '+'),
+        $repo_name,
+        $path_link);
    }
-    $path_links = implode('<br />', $path_links);
-    $rows[] = array(
-      'Paths',
-      $path_links);
+    $path_links = array_interleave(phutil_tag('br'), $path_links);
+    $rows[] = array('Paths', $path_links);

    $table = new AphrontTableView($rows);
    $table->setColumnClasses(
--- a/src/applications/owners/controller/PhabricatorOwnersListController.php
+++ b/src/applications/owners/controller/PhabricatorOwnersListController.php
@ -235,10 +235,10 @@ final class PhabricatorOwnersListController
      foreach ($pkg_owners as $key => $owner) {
        $pkg_owners[$key] = $handles[$owner->getUserPHID()]->renderLink();
        if ($owner->getUserPHID() == $package->getPrimaryOwnerPHID()) {
-          $pkg_owners[$key] = '<strong>'.$pkg_owners[$key].'</strong>';
+          $pkg_owners[$key] = phutil_tag('strong', array(), $pkg_owners[$key]);
        }
      }
-      $pkg_owners = implode('<br />', $pkg_owners);
+      $pkg_owners = array_interleave(phutil_tag('br'), $pkg_owners);

      $pkg_paths = idx($paths, $package->getID(), array());
      foreach ($pkg_paths as $key => $path) {
@ -251,20 +251,21 @@ final class PhabricatorOwnersListController
              'path'     => $path->getPath(),
              'action'   => 'browse',
            ));
-          $pkg_paths[$key] =
-            ($path->getExcluded() ? '&ndash;' : '+').' '.
-            phutil_tag('strong', array(), $repo->getName()).
+          $pkg_paths[$key] = hsprintf(
+            '%s %s%s',
+            ($path->getExcluded() ? "\xE2\x80\x93" : '+'),
+            phutil_tag('strong', array(), $repo->getName()),
            phutil_tag(
              'a',
              array(
                'href' => (string) $href,
              ),
-              $path->getPath());
+              $path->getPath()));
        } else {
-          $pkg_paths[$key] = phutil_escape_html($path->getPath());
+          $pkg_paths[$key] = $path->getPath();
        }
      }
-      $pkg_paths = implode('<br />', $pkg_paths);
+      $pkg_paths = array_interleave(phutil_tag('br'), $pkg_paths);

      $rows[] = array(
        phutil_tag(
--- a/src/applications/people/controller/PhabricatorPeopleLdapController.php
+++ b/src/applications/people/controller/PhabricatorPeopleLdapController.php
@ -153,34 +153,29 @@ final class PhabricatorPeopleLdapController

  private function renderUserInputs($user) {
    $username = $user[0];
-    $inputs =  phutil_tag(
-      'input',
-      array(
-        'type' => 'checkbox',
-        'name' => 'usernames[]',
-        'value' =>$username,
-      ),
-      '');
-
-    $inputs .=  phutil_tag(
-      'input',
-      array(
-        'type' => 'hidden',
-        'name' => "email[$username]",
-        'value' =>$user[1],
-      ),
-      '');
-
-    $inputs .=  phutil_tag(
-      'input',
-      array(
-        'type' => 'hidden',
-        'name' => "name[$username]",
-        'value' =>$user[2],
-      ),
-      '');
-
-    return $inputs;
+    return hsprintf(
+      '%s%s%s',
+      phutil_tag(
+        'input',
+        array(
+          'type' => 'checkbox',
+          'name' => 'usernames[]',
+          'value' => $username,
+        )),
+      phutil_tag(
+        'input',
+        array(
+          'type' => 'hidden',
+          'name' => "email[$username]",
+          'value' => $user[1],
+        )),
+      phutil_tag(
+        'input',
+        array(
+          'type' => 'hidden',
+          'name' => "name[$username]",
+          'value' => $user[2],
+        )));
  }

 }
--- a/src/applications/people/controller/PhabricatorPeopleListController.php
+++ b/src/applications/people/controller/PhabricatorPeopleListController.php
@ -55,7 +55,7 @@ final class PhabricatorPeopleListController
            'href' => '/p/'.$user->getUsername().'/',
          ),
          $user->getUserName()),
-        phutil_escape_html($user->getRealName()),
+        $user->getRealName(),
        $status,
        $email,
        phutil_tag(
--- a/src/applications/people/controller/PhabricatorPeopleLogsController.php
+++ b/src/applications/people/controller/PhabricatorPeopleLogsController.php
@ -157,10 +157,8 @@ final class PhabricatorPeopleLogsController
        phabricator_date($log->getDateCreated(),$user),
        phabricator_time($log->getDateCreated(),$user),
        $log->getAction(),
-        $log->getActorPHID()
-          ? phutil_escape_html($handles[$log->getActorPHID()]->getName())
-          : null,
-        phutil_escape_html($handles[$log->getUserPHID()]->getName()),
+        $log->getActorPHID() ? $handles[$log->getActorPHID()]->getName() : null,
+        $handles[$log->getUserPHID()]->getName(),
        json_encode($log->getOldValue(), true),
        json_encode($log->getNewValue(), true),
        phutil_tag(
--- a/src/applications/phid/controller/PhabricatorPHIDLookupController.php
+++ b/src/applications/phid/controller/PhabricatorPHIDLookupController.php
@ -24,9 +24,9 @@ final class PhabricatorPHIDLookupController
        }

        $rows[] = array(
-          phutil_escape_html($handle->getPHID()),
-          phutil_escape_html($handle->getType()),
-          phutil_escape_html($handle->getName()),
+          $handle->getPHID(),
+          $handle->getType(),
+          $handle->getName(),
          $link,
        );
      }
--- a/src/applications/phriction/controller/PhrictionDiffController.php
+++ b/src/applications/phriction/controller/PhrictionDiffController.php
@ -234,9 +234,9 @@ final class PhrictionDiffController
      $rows[] = array(
        phabricator_date($c->getDateCreated(), $user),
        phabricator_time($c->getDateCreated(), $user),
-        phutil_escape_html('Version '.$c->getVersion()),
+        'Version '.$c->getVersion(),
        $handles[$c->getAuthorPHID()]->renderLink(),
-        phutil_escape_html($c->getDescription()),
+        $c->getDescription(),
      );
    }

--- a/src/applications/phriction/controller/PhrictionHistoryController.php
+++ b/src/applications/phriction/controller/PhrictionHistoryController.php
@ -49,7 +49,7 @@ final class PhrictionHistoryController

      $diff_uri = new PhutilURI('/phriction/diff/'.$document->getID().'/');

-      $vs_previous = '<em>'.pht('Created').'</em>';
+      $vs_previous = phutil_tag('em', array(), pht('Created'));
      if ($content->getVersion() != 1) {
        $uri = $diff_uri
          ->alter('l', $content->getVersion() - 1)
@ -62,7 +62,7 @@ final class PhrictionHistoryController
          pht('Show Change'));
      }

-      $vs_head = '<em>'.pht('Current').'</em>';
+      $vs_head = phutil_tag('em', array(), pht('Current'));
      if ($content->getID() != $document->getContentID()) {
        $uri = $diff_uri
          ->alter('l', $content->getVersion())
@ -90,7 +90,7 @@ final class PhrictionHistoryController
          pht('Version %s', $version)),
        $handles[$content->getAuthorPHID()]->renderLink(),
        $change_type,
-        phutil_escape_html($content->getDescription()),
+        $content->getDescription(),
        $vs_previous,
        $vs_head,
      );
--- a/src/applications/project/controller/PhabricatorProjectListController.php
+++ b/src/applications/project/controller/PhabricatorProjectListController.php
@ -106,10 +106,9 @@ final class PhabricatorProjectListController
            'href' => '/project/view/'.$project->getID().'/',
          ),
          $project->getName()),
-        phutil_escape_html(
-          PhabricatorProjectStatus::getNameForStatus($project->getStatus())),
-        phutil_escape_html($blurb),
-        phutil_escape_html($population),
+        PhabricatorProjectStatus::getNameForStatus($project->getStatus()),
+        $blurb,
+        $population,
        phutil_tag(
          'a',
          array(
--- a/src/applications/repository/controller/PhabricatorRepositoryListController.php
+++ b/src/applications/repository/controller/PhabricatorRepositoryListController.php
@ -27,12 +27,12 @@ final class PhabricatorRepositoryListController
          ),
          'View in Diffusion');
      } else {
-        $diffusion_link = '<em>Not Tracked</em>';
+        $diffusion_link = phutil_tag('em', array(), 'Not Tracked');
      }

      $rows[] = array(
-        phutil_escape_html($repo->getCallsign()),
-        phutil_escape_html($repo->getName()),
+        $repo->getCallsign(),
+        $repo->getName(),
        PhabricatorRepositoryType::getNameForRepositoryType(
          $repo->getVersionControlSystem()),
        $diffusion_link,
@ -98,13 +98,13 @@ final class PhabricatorRepositoryListController
    foreach ($projects as $project) {
      $repo = idx($repos, $project->getRepositoryID());
      if ($repo) {
-        $repo_name = phutil_escape_html($repo->getName());
+        $repo_name = $repo->getName();
      } else {
        $repo_name = '-';
      }

      $rows[] = array(
-        phutil_escape_html($project->getName()),
+        $project->getName(),
        $repo_name,
        phutil_tag(
          'a',
--- a/src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
@ -103,7 +103,7 @@ final class PhabricatorSettingsPanelEmailAddresses
      }

      $rows[] = array(
-        phutil_escape_html($email->getAddress()),
+        $email->getAddress(),
        $action,
        $remove,
      );
--- a/src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php
@ -182,8 +182,8 @@ final class PhabricatorSettingsPanelSSHKeys
            'href' => $this->getPanelURI('?edit='.$key->getID()),
          ),
          $key->getName()),
-        phutil_escape_html($key->getKeyComment()),
-        phutil_escape_html($key->getKeyType()),
+        $key->getKeyComment(),
+        $key->getKeyType(),
        phabricator_date($key->getDateCreated(), $user),
        phabricator_time($key->getDateCreated(), $user),
        javelin_tag(
--- a/src/applications/typeahead/controller/PhabricatorTypeaheadCommonDatasourceController.php
+++ b/src/applications/typeahead/controller/PhabricatorTypeaheadCommonDatasourceController.php
@ -297,9 +297,6 @@ final class PhabricatorTypeaheadCommonDatasourceController
    $rows = array();
    foreach ($results as $result) {
      $wire = $result->getWireFormat();
-      foreach ($wire as $k => $v) {
-        $wire[$k] = phutil_escape_html($v);
-      }
      $rows[] = $wire;
    }

--- a/src/view/AphrontJavelinView.php
+++ b/src/view/AphrontJavelinView.php
@ -21,7 +21,7 @@ final class AphrontJavelinView extends AphrontView {

  public function render() {
    $id = celerity_generate_unique_node_id();
-    $placeholder = "<span id={$id} />";
+    $placeholder = phutil_tag('span', array('id' => $id));

    require_celerity_resource($this->getCelerityResource());

--- a/src/view/control/AphrontTableView.php
+++ b/src/view/control/AphrontTableView.php
@ -111,18 +111,7 @@ final class AphrontTableView extends AphrontView {
  public function render() {
    require_celerity_resource('aphront-table-view-css');

-    $table_class = $this->className;
-
-    if ($this->deviceReadyTable) {
-      $table_class .= ' aphront-table-view-device-ready';
-    }
-
-    if ($table_class !== null) {
-      $table_class = ' class="aphront-table-view '.$table_class.'"';
-    } else {
-      $table_class = ' class="aphront-table-view"';
-    }
-    $table = array('<table'.$table_class.'>');
+    $table = array();

    $col_classes = array();
    foreach ($this->columnClasses as $key => $class) {
@ -151,7 +140,8 @@ final class AphrontTableView extends AphrontView {
      while (count($headers) > count($sort_values)) {
        $sort_values[] = null;
      }
-      $table[] = '<tr>';
+
+      $tr = array();
      foreach ($headers as $col_num => $header) {
        if (!$visibility[$col_num]) {
          continue;
@ -202,7 +192,7 @@ final class AphrontTableView extends AphrontView {
        }

        if ($classes) {
-          $class = ' class="'.implode(' ', $classes).'"';
+          $class = implode(' ', $classes);
        } else {
          $class = null;
        }
@ -221,12 +211,12 @@ final class AphrontTableView extends AphrontView {
            ),
            $short_headers[$col_num]);

-          $header = $header_nodevice.$header_device;
+          $header = hsprintf('%s %s', $header_nodevice, $header_device);
        }

-        $table[] = '<th'.$class.'>'.$header.'</th>';
+        $tr[] = phutil_tag('th', array('class' => $class), $header);
      }
-      $table[] = '</tr>';
+      $table[] = phutil_tag('tr', array(), $tr);
    }

    foreach ($col_classes as $key => $value) {
@ -251,18 +241,7 @@ final class AphrontTableView extends AphrontView {
        while (count($row) > count($visibility)) {
          $visibility[] = true;
        }
-        $class = idx($this->rowClasses, $row_num);
-        if ($this->zebraStripes && ($row_num % 2)) {
-          if ($class !== null) {
-            $class = 'alt alt-'.$class;
-          } else {
-            $class = 'alt';
-          }
-        }
-        if ($class !== null) {
-          $class = ' class="'.$class.'"';
-        }
-        $table[] = '<tr'.$class.'>';
+        $tr = array();
        // NOTE: Use of a separate column counter is to allow this to work
        // correctly if the row data has string or non-sequential keys.
        $col_num = 0;
@ -275,26 +254,40 @@ final class AphrontTableView extends AphrontView {
          if (!empty($this->cellClasses[$row_num][$col_num])) {
            $class = trim($class.' '.$this->cellClasses[$row_num][$col_num]);
          }
-          if ($class !== null) {
-            $table[] = '<td class="'.$class.'">';
-          } else {
-            $table[] = '<td>';
-          }
-          $table[] = $value.'</td>';
+          $tr[] = phutil_tag('td', array('class' => $class), $value);
          ++$col_num;
        }
+
+        $class = idx($this->rowClasses, $row_num);
+        if ($this->zebraStripes && ($row_num % 2)) {
+          if ($class !== null) {
+            $class = 'alt alt-'.$class;
+          } else {
+            $class = 'alt';
+          }
+        }
+
+        $table[] = phutil_tag('tr', array('class' => $class), $tr);
        ++$row_num;
      }
    } else {
      $colspan = max(count(array_filter($visibility)), 1);
-      $table[] =
-        '<tr class="no-data"><td colspan="'.$colspan.'">'.
-          coalesce($this->noDataString, 'No data available.').
-        '</td></tr>';
+      $table[] = hsprintf(
+        '<tr class="no-data"><td colspan="%s">%s</td></tr>',
+        $colspan,
+        coalesce($this->noDataString, 'No data available.'));
    }
-    $table[] = '</table>';
-    $html = implode('', $table);
-    return '<div class="aphront-table-wrap">'.$html.'</div>';
+
+    $table_class = 'aphront-table-view';
+    if ($this->className !== null) {
+      $table_class .= ' '.$this->className;
+    }
+    if ($this->deviceReadyTable) {
+      $table_class .= ' aphront-table-view-device-ready';
+    }
+
+    $html = phutil_tag('table', array('class' => $table_class), $table);
+    return hsprintf('<div class="aphront-table-wrap">%s</div>', $html);
  }

  public static function renderSingleDisplayLine($line) {