mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-19 03:50:54 +01:00
Added -
to the whitelist for CSS rules
Summary: Fixes T11567. This way people can use things like `sans-serif` and `-webkit-small-control` for their "monospaced" font Test Plan: I added the hyphen to the regex then was able to set my Monospaced Font to be anything with a hyphen in it. I also tried to break it pretty extensively, but couldn't find anything that would let me write malicious CSS or JS. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: epriestley, yelirekim Maniphest Tasks: T11567 Differential Revision: https://secure.phabricator.com/D16519
This commit is contained in:
parent
0030bda17e
commit
f712ae718c
1 changed files with 3 additions and 3 deletions
|
@ -34,15 +34,15 @@ final class PhabricatorMonospacedFontSetting
|
||||||
throw new Exception(
|
throw new Exception(
|
||||||
pht(
|
pht(
|
||||||
'Monospaced font value "%s" is unsafe. You may only enter '.
|
'Monospaced font value "%s" is unsafe. You may only enter '.
|
||||||
'letters, numbers, spaces, commas, periods, forward slashes '.
|
'letters, numbers, spaces, commas, periods, hyphens, '.
|
||||||
'and double quotes.',
|
'forward slashes, and double quotes',
|
||||||
$value));
|
$value));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function filterMonospacedCSSRule($monospaced) {
|
public static function filterMonospacedCSSRule($monospaced) {
|
||||||
// Prevent the user from doing dangerous things.
|
// Prevent the user from doing dangerous things.
|
||||||
return preg_replace('([^a-z0-9 ,"./]+)i', '', $monospaced);
|
return preg_replace('([^a-z0-9 ,"./-]+)i', '', $monospaced);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue