1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-19 12:00:55 +01:00

Don't escape quotation marks when printing the monospaced CSS rule

Summary:
Fixes T7888. This is currently safe, but double quotes are incorrectly escaped.

To keep them unescaped, we have to punch through PhutilSafeHTML a bit. Since the allowable characters are strictly filtered this is still safe in practice, just not as theoretically-safe.

Test Plan: Set font to `32px "impact"` (with quotes), saw impact font.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7888

Differential Revision: https://secure.phabricator.com/D12506
This commit is contained in:
epriestley 2015-04-22 09:28:35 -07:00
parent 4dea152215
commit e7702acdc6
3 changed files with 16 additions and 5 deletions

View file

@ -30,9 +30,8 @@ final class PhabricatorDisplayPreferencesSettingsPanel
$e_editor = null;
if ($request->isFormPost()) {
$monospaced = $request->getStr($pref_monospaced);
// Prevent the user from doing stupid things.
$monospaced = preg_replace('/[^a-z0-9 ,".]+/i', '', $monospaced);
$monospaced = PhabricatorUserPreferences::filterMonospacedCSSRule(
$monospaced);
$preferences->setPreference($pref_titles, $request->getStr($pref_titles));
$preferences->setPreference($pref_editor, $request->getStr($pref_editor));

View file

@ -101,4 +101,9 @@ final class PhabricatorUserPreferences extends PhabricatorUserDAO {
return $large;
}
public static function filterMonospacedCSSRule($monospaced) {
// Prevent the user from doing dangerous things.
return preg_replace('/[^a-z0-9 ,".]+/i', '', $monospaced);
}
}

View file

@ -287,7 +287,7 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView {
$user = $request->getUser();
if ($user) {
$monospaced = $user->loadPreferences()->getPreference(
PhabricatorUserPreferences::PREFERENCE_MONOSPACED);
PhabricatorUserPreferences::PREFERENCE_MONOSPACED);
}
}
@ -295,12 +295,19 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView {
$font_css = null;
if (!empty($monospaced)) {
// We can't print this normally because escaping quotation marks will
// break the CSS. Instead, filter it strictly and then mark it as safe.
$monospaced = new PhutilSafeHTML(
PhabricatorUserPreferences::filterMonospacedCSSRule(
$monospaced));
$font_css = hsprintf(
'<style type="text/css">'.
'.PhabricatorMonospaced, '.
'.phabricator-remarkup .remarkup-code-block '.
'.remarkup-code { font: %s !important; } '.
'</style>', $monospaced);
'</style>',
$monospaced);
}
return hsprintf(