diff --git a/src/applications/differential/field/specification/DifferentialBlameRevisionFieldSpecification.php b/src/applications/differential/field/specification/DifferentialBlameRevisionFieldSpecification.php index 27573da141..0c4bb8c366 100644 --- a/src/applications/differential/field/specification/DifferentialBlameRevisionFieldSpecification.php +++ b/src/applications/differential/field/specification/DifferentialBlameRevisionFieldSpecification.php @@ -48,7 +48,7 @@ final class DifferentialBlameRevisionFieldSpecification return null; } $engine = PhabricatorMarkupEngine::newDifferentialMarkupEngine(); - return $engine->markupText($this->value); + return phutil_safe_html($engine->markupText($this->value)); } public function shouldAppearOnConduitView() { diff --git a/src/applications/differential/field/specification/DifferentialUnitFieldSpecification.php b/src/applications/differential/field/specification/DifferentialUnitFieldSpecification.php index b4e89b3fa9..348964045c 100644 --- a/src/applications/differential/field/specification/DifferentialUnitFieldSpecification.php +++ b/src/applications/differential/field/specification/DifferentialUnitFieldSpecification.php @@ -113,7 +113,7 @@ final class DifferentialUnitFieldSpecification $userdata = idx($test, 'userdata'); if ($userdata) { $engine = PhabricatorMarkupEngine::newDifferentialMarkupEngine(); - $userdata = $engine->markupText($userdata); + $userdata = phutil_safe_html($engine->markupText($userdata)); $rows[] = array( 'style' => 'details', 'value' => $userdata, diff --git a/src/applications/diffusion/controller/DiffusionBrowseController.php b/src/applications/diffusion/controller/DiffusionBrowseController.php index 62d247a651..7d3ac8ed7c 100644 --- a/src/applications/diffusion/controller/DiffusionBrowseController.php +++ b/src/applications/diffusion/controller/DiffusionBrowseController.php @@ -106,7 +106,7 @@ final class DiffusionBrowseController extends DiffusionController { private function markupText($text) { $engine = PhabricatorMarkupEngine::newDiffusionMarkupEngine(); - $text = $engine->markupText($text); + $text = phutil_safe_html($engine->markupText($text)); $text = phutil_tag( 'div', diff --git a/src/applications/diffusion/controller/DiffusionCommitController.php b/src/applications/diffusion/controller/DiffusionCommitController.php index 8afcc4b0e7..235be74c25 100644 --- a/src/applications/diffusion/controller/DiffusionCommitController.php +++ b/src/applications/diffusion/controller/DiffusionCommitController.php @@ -93,7 +93,8 @@ final class DiffusionCommitController extends DiffusionController { $property_list->addTextContent( '
'. - $engine->markupText($commit_data->getCommitMessage()). + phutil_safe_html( + $engine->markupText($commit_data->getCommitMessage())). '
' ); diff --git a/src/applications/diffusion/query/browse/DiffusionBrowseQuery.php b/src/applications/diffusion/query/browse/DiffusionBrowseQuery.php index 832f4784d9..a4d2d44ceb 100644 --- a/src/applications/diffusion/query/browse/DiffusionBrowseQuery.php +++ b/src/applications/diffusion/query/browse/DiffusionBrowseQuery.php @@ -127,7 +127,7 @@ abstract class DiffusionBrowseQuery { } else { // Markup extensionless files as remarkup so we get links and such. $engine = PhabricatorMarkupEngine::newDiffusionMarkupEngine(); - $readme_content = $engine->markupText($readme_content); + $readme_content = phutil_safe_html($engine->markupText($readme_content)); $class = 'phabricator-remarkup'; } diff --git a/src/applications/people/controller/PhabricatorPeopleProfileController.php b/src/applications/people/controller/PhabricatorPeopleProfileController.php index 88a62a3dab..576758f2e9 100644 --- a/src/applications/people/controller/PhabricatorPeopleProfileController.php +++ b/src/applications/people/controller/PhabricatorPeopleProfileController.php @@ -165,7 +165,7 @@ final class PhabricatorPeopleProfileController '//Nothing is known about this rare specimen.//'); $engine = PhabricatorMarkupEngine::newProfileMarkupEngine(); - $blurb = $engine->markupText($blurb); + $blurb = phutil_safe_html($engine->markupText($blurb)); $viewer = $this->getRequest()->getUser(); diff --git a/src/applications/phame/skins/PhameBasicBlogSkin.php b/src/applications/phame/skins/PhameBasicBlogSkin.php index 74d70f4f52..569bb6b3b3 100644 --- a/src/applications/phame/skins/PhameBasicBlogSkin.php +++ b/src/applications/phame/skins/PhameBasicBlogSkin.php @@ -70,6 +70,7 @@ abstract class PhameBasicBlogSkin extends PhameBlogSkin { $view->setFrameable(true); } + $view->appendChild($content); $response = new AphrontWebpageResponse(); @@ -95,23 +96,30 @@ abstract class PhameBasicBlogSkin extends PhameBlogSkin { $summaries[] = $post->renderWithSummary(); } - $list = phutil_render_tag( + $list = phutil_tag( 'div', array( 'class' => 'phame-post-list', ), id(new AphrontNullView())->appendChild($summaries)->render()); - $pager = $this->renderOlderPageLink().$this->renderNewerPageLink(); - if ($pager) { + $pager = null; + if ($this->renderOlderPageLink() || $this->renderNewerPageLink()) { $pager = phutil_tag( 'div', array( 'class' => 'phame-pager', + ), + array( + $this->renderOlderPageLink(), + $this->renderNewerPageLink(), )); } - return $list.$pager; + return array( + $list, + $pager, + ); } protected function render404Page() { diff --git a/src/applications/phame/view/PhamePostView.php b/src/applications/phame/view/PhamePostView.php index 533d4402a5..8c5a47c452 100644 --- a/src/applications/phame/view/PhamePostView.php +++ b/src/applications/phame/view/PhamePostView.php @@ -87,7 +87,7 @@ final class PhamePostView extends AphrontView { } public function renderBody() { - return phutil_render_tag( + return phutil_tag( 'div', array( 'class' => 'phame-post-body', @@ -96,7 +96,7 @@ final class PhamePostView extends AphrontView { } public function renderSummary() { - return phutil_render_tag( + return phutil_tag( 'div', array( 'class' => 'phame-post-body', @@ -159,20 +159,19 @@ final class PhamePostView extends AphrontView { array( 'id' => 'fb-root', ), - '' - ); + ''); $c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId='.$fb_id; - $fb_js = jsprintf( - '', - $c_uri - ); + $fb_js = phutil_safe_html( + jsprintf( + '', + $c_uri)); $uri = $this->getSkin()->getURI('post/'.$this->getPost()->getPhameTitle()); @@ -183,17 +182,18 @@ final class PhamePostView extends AphrontView { 'data-href' => $uri, 'data-num-posts' => 5, ), - '' - ); + ''); - return phutil_render_tag( + return phutil_tag( 'div', array( 'class' => 'phame-comments-facebook', ), - $fb_root. - $fb_js. - $fb_comments); + array( + $fb_root, + $fb_js, + $fb_comments, + )); } private function renderDisqusComments() { @@ -211,32 +211,34 @@ final class PhamePostView extends AphrontView { ); // protip - try some var disqus_developer = 1; action to test locally - $disqus_js = jsprintf( - '', - $post->getPHID(), - $this->getSkin()->getURI('post/'.$this->getPost()->getPhameTitle()), - $post->getTitle() - ); + $disqus_js = phutil_safe_html( + jsprintf( + '', + $post->getPHID(), + $this->getSkin()->getURI('post/'.$this->getPost()->getPhameTitle()), + $post->getTitle())); - return phutil_render_tag( + return phutil_tag( 'div', array( 'class' => 'phame-comments-disqus', ), - $disqus_thread. - $disqus_js); + array( + $disqus_thread, + $disqus_js, + )); } } diff --git a/src/applications/remarkup/conduit/ConduitAPI_remarkup_process_Method.php b/src/applications/remarkup/conduit/ConduitAPI_remarkup_process_Method.php index 6986488342..7d51f23d26 100644 --- a/src/applications/remarkup/conduit/ConduitAPI_remarkup_process_Method.php +++ b/src/applications/remarkup/conduit/ConduitAPI_remarkup_process_Method.php @@ -43,8 +43,15 @@ final class ConduitAPI_remarkup_process_Method extends ConduitAPIMethod { $engine = PhabricatorMarkupEngine::$engine_class(); $engine->setConfig('viewer', $request->getUser()); + $text = $engine->markupText($content); + if ($text) { + $content = phutil_safe_html($text)->getHTMLContent(); + } else { + $content = ''; + } + $result = array( - 'content' => $engine->markupText($content), + 'content' => $content, ); return $result; diff --git a/src/applications/slowvote/controller/PhabricatorSlowvotePollController.php b/src/applications/slowvote/controller/PhabricatorSlowvotePollController.php index 531ddaba61..2bc75bc744 100644 --- a/src/applications/slowvote/controller/PhabricatorSlowvotePollController.php +++ b/src/applications/slowvote/controller/PhabricatorSlowvotePollController.php @@ -203,7 +203,8 @@ final class PhabricatorSlowvotePollController foreach ($comments as $comment) { $handle = $handles[$comment->getAuthorPHID()]; - $markup = $engine->markupText($comment->getCommentText()); + $markup = phutil_safe_html( + $engine->markupText($comment->getCommentText())); require_celerity_resource('phabricator-remarkup-css'); diff --git a/src/infrastructure/markup/PhabricatorMarkupEngine.php b/src/infrastructure/markup/PhabricatorMarkupEngine.php index 9a82942558..5e9a96d31d 100644 --- a/src/infrastructure/markup/PhabricatorMarkupEngine.php +++ b/src/infrastructure/markup/PhabricatorMarkupEngine.php @@ -160,7 +160,7 @@ final class PhabricatorMarkupEngine { "Call process() before getOutput()."); } - return $this->objects[$key]['output']; + return new PhutilSafeHTML($this->objects[$key]['output']); }