revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-19 05:12:41 +01:00
Code Issues Releases Wiki Activity

Don't escape quotation marks when printing the monospaced CSS rule

Browse source 
Summary:
Fixes T7888. This is currently safe, but double quotes are incorrectly escaped.

To keep them unescaped, we have to punch through PhutilSafeHTML a bit. Since the allowable characters are strictly filtered this is still safe in practice, just not as theoretically-safe.

Test Plan: Set font to `32px "impact"` (with quotes), saw impact font.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7888

Differential Revision: https://secure.phabricator.com/D12506
This commit is contained in:
epriestley 2015-04-22 09:28:35 -07:00
parent 4dea152215
commit e7702acdc6
3 changed files with 16 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/applications/settings/panel/PhabricatorDisplayPreferencesSettingsPanel.php
View file

@ -30,9 +30,8 @@ final class PhabricatorDisplayPreferencesSettingsPanel
$e_editor = null; $e_editor = null;
if ($request->isFormPost()) { if ($request->isFormPost()) {
$monospaced = $request->getStr($pref_monospaced); $monospaced = $request->getStr($pref_monospaced);
$monospaced = PhabricatorUserPreferences::filterMonospacedCSSRule(
// Prevent the user from doing stupid things. $monospaced);
$monospaced = preg_replace('/[^a-z0-9 ,".]+/i', '', $monospaced);
$preferences->setPreference($pref_titles, $request->getStr($pref_titles)); $preferences->setPreference($pref_titles, $request->getStr($pref_titles));
$preferences->setPreference($pref_editor, $request->getStr($pref_editor)); $preferences->setPreference($pref_editor, $request->getStr($pref_editor));

5
src/applications/settings/storage/PhabricatorUserPreferences.php
View file

@ -101,4 +101,9 @@ final class PhabricatorUserPreferences extends PhabricatorUserDAO {
return $large; return $large;
} }
public static function filterMonospacedCSSRule($monospaced) {
// Prevent the user from doing dangerous things.
return preg_replace('/[^a-z0-9 ,".]+/i', '', $monospaced);
}
} }

11
src/view/page/PhabricatorStandardPageView.php
View file

@ -287,7 +287,7 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView {
$user = $request->getUser(); $user = $request->getUser();
if ($user) { if ($user) {
$monospaced = $user->loadPreferences()->getPreference( $monospaced = $user->loadPreferences()->getPreference(
PhabricatorUserPreferences::PREFERENCE_MONOSPACED); PhabricatorUserPreferences::PREFERENCE_MONOSPACED);
} }
} }
@ -295,12 +295,19 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView {
$font_css = null; $font_css = null;
if (!empty($monospaced)) { if (!empty($monospaced)) {
// We can't print this normally because escaping quotation marks will
// break the CSS. Instead, filter it strictly and then mark it as safe.
$monospaced = new PhutilSafeHTML(
PhabricatorUserPreferences::filterMonospacedCSSRule(
$monospaced));
$font_css = hsprintf( $font_css = hsprintf(
'<style type="text/css">'. '<style type="text/css">'.
'.PhabricatorMonospaced, '. '.PhabricatorMonospaced, '.
'.phabricator-remarkup .remarkup-code-block '. '.phabricator-remarkup .remarkup-code-block '.
'.remarkup-code { font: %s !important; } '. '.remarkup-code { font: %s !important; } '.
'</style>', $monospaced); '</style>',
$monospaced);
} }
return hsprintf( return hsprintf(