mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-09 22:31:03 +01:00
Properly escape inline <script>
Test Plan: Loaded Phabricator page, checked the source code. Also: $c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId='; echo CelerityStaticResourceResponse::renderInlineScript( jsprintf( 'console.log(%s); // </script> %s', $c_uri, "</script><b>x</b>")); Reviewers: epriestley, btrahan Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5741
This commit is contained in:
parent
b216dc9c2c
commit
e8dd67b88c
3 changed files with 19 additions and 10 deletions
|
@ -162,8 +162,7 @@ final class PhamePostView extends AphrontView {
|
||||||
'');
|
'');
|
||||||
|
|
||||||
$c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId='.$fb_id;
|
$c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId='.$fb_id;
|
||||||
$fb_js = hsprintf(
|
$fb_js = CelerityStaticResourceResponse::renderInlineScript(
|
||||||
'<script>%s</script>',
|
|
||||||
jsprintf(
|
jsprintf(
|
||||||
'(function(d, s, id) {'.
|
'(function(d, s, id) {'.
|
||||||
' var js, fjs = d.getElementsByTagName(s)[0];'.
|
' var js, fjs = d.getElementsByTagName(s)[0];'.
|
||||||
|
@ -211,8 +210,7 @@ final class PhamePostView extends AphrontView {
|
||||||
));
|
));
|
||||||
|
|
||||||
// protip - try some var disqus_developer = 1; action to test locally
|
// protip - try some var disqus_developer = 1; action to test locally
|
||||||
$disqus_js = hsprintf(
|
$disqus_js = CelerityStaticResourceResponse::renderInlineScript(
|
||||||
'<script>%s</script>',
|
|
||||||
jsprintf(
|
jsprintf(
|
||||||
' var disqus_shortname = "phabricator";'.
|
' var disqus_shortname = "phabricator";'.
|
||||||
' var disqus_identifier = %s;'.
|
' var disqus_identifier = %s;'.
|
||||||
|
|
|
@ -182,14 +182,24 @@ final class CelerityStaticResourceResponse {
|
||||||
|
|
||||||
if ($data) {
|
if ($data) {
|
||||||
$data = implode("\n", $data);
|
$data = implode("\n", $data);
|
||||||
return hsprintf(
|
return self::renderInlineScript($data);
|
||||||
'<script type="text/javascript">//<![CDATA['."\n".'%s//]]></script>',
|
|
||||||
phutil_safe_html($data));
|
|
||||||
} else {
|
} else {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static function renderInlineScript($data) {
|
||||||
|
if (stripos($data, '</script>') !== false) {
|
||||||
|
throw new Exception(
|
||||||
|
'Literal </script> is not allowed inside inline script.');
|
||||||
|
}
|
||||||
|
return hsprintf(
|
||||||
|
// We don't use <![CDATA[ ]]> because it is ignored by HTML parsers. We
|
||||||
|
// would need to send the document with XHTML content type.
|
||||||
|
'<script type="text/javascript">%s</script>',
|
||||||
|
phutil_safe_html($data));
|
||||||
|
}
|
||||||
|
|
||||||
public function buildAjaxResponse($payload, $error = null) {
|
public function buildAjaxResponse($payload, $error = null) {
|
||||||
$response = array(
|
$response = array(
|
||||||
'error' => $error,
|
'error' => $error,
|
||||||
|
|
|
@ -91,13 +91,14 @@ class PhabricatorBarePageView extends AphrontPageView {
|
||||||
|
|
||||||
$response = CelerityAPI::getStaticResourceResponse();
|
$response = CelerityAPI::getStaticResourceResponse();
|
||||||
|
|
||||||
|
$developer = PhabricatorEnv::getEnvConfig('phabricator.developer-mode');
|
||||||
return hsprintf(
|
return hsprintf(
|
||||||
'%s%s%s<script type="text/javascript">%s window.__DEV__=%s;</script>%s',
|
'%s%s%s%s%s',
|
||||||
$viewport_tag,
|
$viewport_tag,
|
||||||
$icon_tag,
|
$icon_tag,
|
||||||
$apple_tag,
|
$apple_tag,
|
||||||
$framebust,
|
CelerityStaticResourceResponse::renderInlineScript(
|
||||||
(PhabricatorEnv::getEnvConfig('phabricator.developer-mode') ? '1' : '0'),
|
$framebust.jsprintf('window.__DEV__=%d;', ($developer ? 1 : 0))),
|
||||||
$response->renderResourcesOfType('css'));
|
$response->renderResourcesOfType('css'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue