1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-25 14:08:19 +01:00

Minor, fix XSS in task description change notifications.

This commit is contained in:
epriestley 2012-06-24 15:15:32 -07:00
parent a705f336a3
commit bedc9acf98

View file

@ -26,13 +26,13 @@ final class PhabricatorFeedStoryManiphest
$this->getStoryData()->getAuthorPHID(), $this->getStoryData()->getAuthorPHID(),
$data->getValue('taskPHID'), $data->getValue('taskPHID'),
$data->getValue('ownerPHID'), $data->getValue('ownerPHID'),
)); ));
} }
public function getRequiredObjectPHIDs() { public function getRequiredObjectPHIDs() {
return array( return array(
$this->getStoryData()->getAuthorPHID(), $this->getStoryData()->getAuthorPHID(),
); );
} }
public function renderView() { public function renderView() {
@ -78,44 +78,33 @@ final class PhabricatorFeedStoryManiphest
} }
private function getLineForData($data) { private function getLineForData($data) {
$actor_phid = $data->getAuthorPHID();
$owner_phid = $data->getValue('ownerPHID');
$task_phid = $data->getValue('taskPHID');
$action = $data->getValue('action'); $action = $data->getValue('action');
$description = $data->getValue('description');
$comments = phutil_escape_html(
phutil_utf8_shorten(
$data->getValue('comments'),
140));
$actor_phid = $data->getAuthorPHID();
$actor_link = $this->linkTo($actor_phid); $actor_link = $this->linkTo($actor_phid);
$task_phid = $data->getValue('taskPHID');
$task_link = $this->linkTo($task_phid); $task_link = $this->linkTo($task_phid);
$owner_phid = $data->getValue('ownerPHID');
$owner_link = $this->linkTo($owner_phid); $owner_link = $this->linkTo($owner_phid);
$verb = ManiphestAction::getActionPastTenseVerb($action); $verb = ManiphestAction::getActionPastTenseVerb($action);
if (($action == ManiphestAction::ACTION_ASSIGN
|| $action == ManiphestAction::ACTION_REASSIGN)
&& !$owner_phid) {
//double assignment since the action is diff in this case
$verb = $action = 'placed up for grabs';
}
$one_line = "{$actor_link} {$verb} {$task_link}";
switch ($action) { switch ($action) {
case ManiphestAction::ACTION_ASSIGN: case ManiphestAction::ACTION_ASSIGN:
case ManiphestAction::ACTION_REASSIGN: case ManiphestAction::ACTION_REASSIGN:
$one_line .= " to {$owner_link}"; if ($owner_phid) {
$one_line = "{$actor_link} {$verb} to {$owner_link}";
} else {
$one_line = "{$actor_link} placed {$task_link} up for grabs";
}
break; break;
case ManiphestAction::ACTION_DESCRIPTION: default:
$one_line .= " to {$description}"; $one_line = "{$actor_link} {$verb} {$task_link}";
break; break;
} }
if ($comments) {
$one_line .= " \"{$comments}\"";
}
return $one_line; return $one_line;
} }
} }