mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-20 04:20:55 +01:00
Fix a self-XSS hole in Diffusion
Summary: Via HackerOne. We aren't correctly escaping the date, so a user can XSS themselves by setting their date format creatively. This construction is very unusual and I don't think we do anything similar elsewhere, so I can't come up with a systematic change which would prevent this in the general case. Test Plan: Set date format to tag junk, got self-XSS before patch and proper escaping after the patch. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D12117
This commit is contained in:
parent
80b8dc521d
commit
ac029d0a50
1 changed files with 6 additions and 0 deletions
|
@ -153,6 +153,12 @@ final class DiffusionLastModifiedController extends DiffusionController {
|
|||
number_format($lint));
|
||||
}
|
||||
|
||||
// The client treats these results as markup, so make sure they have been
|
||||
// escaped correctly.
|
||||
foreach ($return as $key => $value) {
|
||||
$return[$key] = hsprintf('%s', $value);
|
||||
}
|
||||
|
||||
return $return;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue