mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-08 22:01:03 +01:00
Properly escape inline <script>
Test Plan: Loaded Phabricator page, checked the source code. Also: $c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId='; echo CelerityStaticResourceResponse::renderInlineScript( jsprintf( 'console.log(%s); // </script> %s', $c_uri, "</script><b>x</b>")); Reviewers: epriestley, btrahan Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5741
This commit is contained in:
parent
b216dc9c2c
commit
e8dd67b88c
3 changed files with 19 additions and 10 deletions
|
@ -162,8 +162,7 @@ final class PhamePostView extends AphrontView {
|
|||
'');
|
||||
|
||||
$c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId='.$fb_id;
|
||||
$fb_js = hsprintf(
|
||||
'<script>%s</script>',
|
||||
$fb_js = CelerityStaticResourceResponse::renderInlineScript(
|
||||
jsprintf(
|
||||
'(function(d, s, id) {'.
|
||||
' var js, fjs = d.getElementsByTagName(s)[0];'.
|
||||
|
@ -211,8 +210,7 @@ final class PhamePostView extends AphrontView {
|
|||
));
|
||||
|
||||
// protip - try some var disqus_developer = 1; action to test locally
|
||||
$disqus_js = hsprintf(
|
||||
'<script>%s</script>',
|
||||
$disqus_js = CelerityStaticResourceResponse::renderInlineScript(
|
||||
jsprintf(
|
||||
' var disqus_shortname = "phabricator";'.
|
||||
' var disqus_identifier = %s;'.
|
||||
|
|
|
@ -182,14 +182,24 @@ final class CelerityStaticResourceResponse {
|
|||
|
||||
if ($data) {
|
||||
$data = implode("\n", $data);
|
||||
return hsprintf(
|
||||
'<script type="text/javascript">//<![CDATA['."\n".'%s//]]></script>',
|
||||
phutil_safe_html($data));
|
||||
return self::renderInlineScript($data);
|
||||
} else {
|
||||
return '';
|
||||
}
|
||||
}
|
||||
|
||||
public static function renderInlineScript($data) {
|
||||
if (stripos($data, '</script>') !== false) {
|
||||
throw new Exception(
|
||||
'Literal </script> is not allowed inside inline script.');
|
||||
}
|
||||
return hsprintf(
|
||||
// We don't use <![CDATA[ ]]> because it is ignored by HTML parsers. We
|
||||
// would need to send the document with XHTML content type.
|
||||
'<script type="text/javascript">%s</script>',
|
||||
phutil_safe_html($data));
|
||||
}
|
||||
|
||||
public function buildAjaxResponse($payload, $error = null) {
|
||||
$response = array(
|
||||
'error' => $error,
|
||||
|
|
|
@ -91,13 +91,14 @@ class PhabricatorBarePageView extends AphrontPageView {
|
|||
|
||||
$response = CelerityAPI::getStaticResourceResponse();
|
||||
|
||||
$developer = PhabricatorEnv::getEnvConfig('phabricator.developer-mode');
|
||||
return hsprintf(
|
||||
'%s%s%s<script type="text/javascript">%s window.__DEV__=%s;</script>%s',
|
||||
'%s%s%s%s%s',
|
||||
$viewport_tag,
|
||||
$icon_tag,
|
||||
$apple_tag,
|
||||
$framebust,
|
||||
(PhabricatorEnv::getEnvConfig('phabricator.developer-mode') ? '1' : '0'),
|
||||
CelerityStaticResourceResponse::renderInlineScript(
|
||||
$framebust.jsprintf('window.__DEV__=%d;', ($developer ? 1 : 0))),
|
||||
$response->renderResourcesOfType('css'));
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue