Don't escape quotation marks when printing the monospaced CSS rule

Summary: Fixes T7888. This is currently safe, but double quotes are incorrectly escaped. To keep them unescaped, we have to punch through PhutilSafeHTML a bit. Since the allowable characters are strictly filtered this is still safe in practice, just not as theoretically-safe. Test Plan: Set font to `32px "impact"` (with quotes), saw impact font. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T7888 Differential Revision: https://secure.phabricator.com/D12506
2024-11-19 05:12:41 +01:00 · 2015-04-22 09:28:35 -07:00 · 2015-04-22 09:28:35 -07:00 · e7702acdc6
commit e7702acdc6
parent 4dea152215
3 changed files with 16 additions and 5 deletions
--- a/src/applications/settings/panel/PhabricatorDisplayPreferencesSettingsPanel.php
+++ b/src/applications/settings/panel/PhabricatorDisplayPreferencesSettingsPanel.php
@ -30,9 +30,8 @@ final class PhabricatorDisplayPreferencesSettingsPanel
    $e_editor = null;
    if ($request->isFormPost()) {
      $monospaced = $request->getStr($pref_monospaced);
-
-      // Prevent the user from doing stupid things.
-      $monospaced = preg_replace('/[^a-z0-9 ,".]+/i', '', $monospaced);
+      $monospaced = PhabricatorUserPreferences::filterMonospacedCSSRule(
+        $monospaced);

      $preferences->setPreference($pref_titles, $request->getStr($pref_titles));
      $preferences->setPreference($pref_editor, $request->getStr($pref_editor));
--- a/src/applications/settings/storage/PhabricatorUserPreferences.php
+++ b/src/applications/settings/storage/PhabricatorUserPreferences.php
@ -101,4 +101,9 @@ final class PhabricatorUserPreferences extends PhabricatorUserDAO {
    return $large;
  }

+  public static function filterMonospacedCSSRule($monospaced) {
+    // Prevent the user from doing dangerous things.
+    return preg_replace('/[^a-z0-9 ,".]+/i', '', $monospaced);
+  }
+
 }
--- a/src/view/page/PhabricatorStandardPageView.php
+++ b/src/view/page/PhabricatorStandardPageView.php
@ -287,7 +287,7 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView {
      $user = $request->getUser();
      if ($user) {
        $monospaced = $user->loadPreferences()->getPreference(
-            PhabricatorUserPreferences::PREFERENCE_MONOSPACED);
+          PhabricatorUserPreferences::PREFERENCE_MONOSPACED);
      }
    }

@ -295,12 +295,19 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView {

    $font_css = null;
    if (!empty($monospaced)) {
+      // We can't print this normally because escaping quotation marks will
+      // break the CSS. Instead, filter it strictly and then mark it as safe.
+      $monospaced = new PhutilSafeHTML(
+        PhabricatorUserPreferences::filterMonospacedCSSRule(
+          $monospaced));
+
      $font_css = hsprintf(
        '<style type="text/css">'.
        '.PhabricatorMonospaced, '.
        '.phabricator-remarkup .remarkup-code-block '.
          '.remarkup-code { font: %s !important; } '.
-        '</style>', $monospaced);
+        '</style>',
+        $monospaced);
    }

    return hsprintf(