1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-25 05:58:21 +01:00

Properly escape inline <script>

Test Plan:
Loaded Phabricator page, checked the source code. Also:

    $c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId=';
    echo CelerityStaticResourceResponse::renderInlineScript(
      jsprintf(
        'console.log(%s); // </script>
        %s',
        $c_uri,
        "</script><b>x</b>"));

Reviewers: epriestley, btrahan

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D5741
This commit is contained in:
Jakub Vrana 2013-04-20 17:55:47 -07:00
parent b216dc9c2c
commit e8dd67b88c
3 changed files with 19 additions and 10 deletions

View file

@ -162,8 +162,7 @@ final class PhamePostView extends AphrontView {
''); '');
$c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId='.$fb_id; $c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId='.$fb_id;
$fb_js = hsprintf( $fb_js = CelerityStaticResourceResponse::renderInlineScript(
'<script>%s</script>',
jsprintf( jsprintf(
'(function(d, s, id) {'. '(function(d, s, id) {'.
' var js, fjs = d.getElementsByTagName(s)[0];'. ' var js, fjs = d.getElementsByTagName(s)[0];'.
@ -211,8 +210,7 @@ final class PhamePostView extends AphrontView {
)); ));
// protip - try some var disqus_developer = 1; action to test locally // protip - try some var disqus_developer = 1; action to test locally
$disqus_js = hsprintf( $disqus_js = CelerityStaticResourceResponse::renderInlineScript(
'<script>%s</script>',
jsprintf( jsprintf(
' var disqus_shortname = "phabricator";'. ' var disqus_shortname = "phabricator";'.
' var disqus_identifier = %s;'. ' var disqus_identifier = %s;'.

View file

@ -182,14 +182,24 @@ final class CelerityStaticResourceResponse {
if ($data) { if ($data) {
$data = implode("\n", $data); $data = implode("\n", $data);
return hsprintf( return self::renderInlineScript($data);
'<script type="text/javascript">//<![CDATA['."\n".'%s//]]></script>',
phutil_safe_html($data));
} else { } else {
return ''; return '';
} }
} }
public static function renderInlineScript($data) {
if (stripos($data, '</script>') !== false) {
throw new Exception(
'Literal </script> is not allowed inside inline script.');
}
return hsprintf(
// We don't use <![CDATA[ ]]> because it is ignored by HTML parsers. We
// would need to send the document with XHTML content type.
'<script type="text/javascript">%s</script>',
phutil_safe_html($data));
}
public function buildAjaxResponse($payload, $error = null) { public function buildAjaxResponse($payload, $error = null) {
$response = array( $response = array(
'error' => $error, 'error' => $error,

View file

@ -91,13 +91,14 @@ class PhabricatorBarePageView extends AphrontPageView {
$response = CelerityAPI::getStaticResourceResponse(); $response = CelerityAPI::getStaticResourceResponse();
$developer = PhabricatorEnv::getEnvConfig('phabricator.developer-mode');
return hsprintf( return hsprintf(
'%s%s%s<script type="text/javascript">%s window.__DEV__=%s;</script>%s', '%s%s%s%s%s',
$viewport_tag, $viewport_tag,
$icon_tag, $icon_tag,
$apple_tag, $apple_tag,
$framebust, CelerityStaticResourceResponse::renderInlineScript(
(PhabricatorEnv::getEnvConfig('phabricator.developer-mode') ? '1' : '0'), $framebust.jsprintf('window.__DEV__=%d;', ($developer ? 1 : 0))),
$response->renderResourcesOfType('css')); $response->renderResourcesOfType('css'));
} }