From f712ae718ccc1c94d882c626ca8626b77346026b Mon Sep 17 00:00:00 2001 From: Josh Cox Date: Wed, 7 Sep 2016 23:29:46 -0400 Subject: [PATCH] Added `-` to the whitelist for CSS rules Summary: Fixes T11567. This way people can use things like `sans-serif` and `-webkit-small-control` for their "monospaced" font Test Plan: I added the hyphen to the regex then was able to set my Monospaced Font to be anything with a hyphen in it. I also tried to break it pretty extensively, but couldn't find anything that would let me write malicious CSS or JS. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: epriestley, yelirekim Maniphest Tasks: T11567 Differential Revision: https://secure.phabricator.com/D16519 --- .../settings/setting/PhabricatorMonospacedFontSetting.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/applications/settings/setting/PhabricatorMonospacedFontSetting.php b/src/applications/settings/setting/PhabricatorMonospacedFontSetting.php index 3ce55b26ad..2a96f5d95f 100644 --- a/src/applications/settings/setting/PhabricatorMonospacedFontSetting.php +++ b/src/applications/settings/setting/PhabricatorMonospacedFontSetting.php @@ -34,15 +34,15 @@ final class PhabricatorMonospacedFontSetting throw new Exception( pht( 'Monospaced font value "%s" is unsafe. You may only enter '. - 'letters, numbers, spaces, commas, periods, forward slashes '. - 'and double quotes.', + 'letters, numbers, spaces, commas, periods, hyphens, '. + 'forward slashes, and double quotes', $value)); } } public static function filterMonospacedCSSRule($monospaced) { // Prevent the user from doing dangerous things. - return preg_replace('([^a-z0-9 ,"./]+)i', '', $monospaced); + return preg_replace('([^a-z0-9 ,"./-]+)i', '', $monospaced); } }