mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-19 12:00:55 +01:00
Don't escape quotation marks when printing the monospaced CSS rule
Summary: Fixes T7888. This is currently safe, but double quotes are incorrectly escaped. To keep them unescaped, we have to punch through PhutilSafeHTML a bit. Since the allowable characters are strictly filtered this is still safe in practice, just not as theoretically-safe. Test Plan: Set font to `32px "impact"` (with quotes), saw impact font. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T7888 Differential Revision: https://secure.phabricator.com/D12506
This commit is contained in:
parent
4dea152215
commit
e7702acdc6
3 changed files with 16 additions and 5 deletions
|
@ -30,9 +30,8 @@ final class PhabricatorDisplayPreferencesSettingsPanel
|
|||
$e_editor = null;
|
||||
if ($request->isFormPost()) {
|
||||
$monospaced = $request->getStr($pref_monospaced);
|
||||
|
||||
// Prevent the user from doing stupid things.
|
||||
$monospaced = preg_replace('/[^a-z0-9 ,".]+/i', '', $monospaced);
|
||||
$monospaced = PhabricatorUserPreferences::filterMonospacedCSSRule(
|
||||
$monospaced);
|
||||
|
||||
$preferences->setPreference($pref_titles, $request->getStr($pref_titles));
|
||||
$preferences->setPreference($pref_editor, $request->getStr($pref_editor));
|
||||
|
|
|
@ -101,4 +101,9 @@ final class PhabricatorUserPreferences extends PhabricatorUserDAO {
|
|||
return $large;
|
||||
}
|
||||
|
||||
public static function filterMonospacedCSSRule($monospaced) {
|
||||
// Prevent the user from doing dangerous things.
|
||||
return preg_replace('/[^a-z0-9 ,".]+/i', '', $monospaced);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -287,7 +287,7 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView {
|
|||
$user = $request->getUser();
|
||||
if ($user) {
|
||||
$monospaced = $user->loadPreferences()->getPreference(
|
||||
PhabricatorUserPreferences::PREFERENCE_MONOSPACED);
|
||||
PhabricatorUserPreferences::PREFERENCE_MONOSPACED);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -295,12 +295,19 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView {
|
|||
|
||||
$font_css = null;
|
||||
if (!empty($monospaced)) {
|
||||
// We can't print this normally because escaping quotation marks will
|
||||
// break the CSS. Instead, filter it strictly and then mark it as safe.
|
||||
$monospaced = new PhutilSafeHTML(
|
||||
PhabricatorUserPreferences::filterMonospacedCSSRule(
|
||||
$monospaced));
|
||||
|
||||
$font_css = hsprintf(
|
||||
'<style type="text/css">'.
|
||||
'.PhabricatorMonospaced, '.
|
||||
'.phabricator-remarkup .remarkup-code-block '.
|
||||
'.remarkup-code { font: %s !important; } '.
|
||||
'</style>', $monospaced);
|
||||
'</style>',
|
||||
$monospaced);
|
||||
}
|
||||
|
||||
return hsprintf(
|
||||
|
|
Loading…
Reference in a new issue