1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-21 13:00:56 +01:00

Added - to the whitelist for CSS rules

Summary: Fixes T11567. This way people can use things like `sans-serif` and `-webkit-small-control` for their "monospaced" font

Test Plan:
I added the hyphen to the regex then was able to set my Monospaced Font to be anything with a hyphen in it.

I also tried to break it pretty extensively, but couldn't find anything that would let me write malicious CSS or JS.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley, yelirekim

Maniphest Tasks: T11567

Differential Revision: https://secure.phabricator.com/D16519
This commit is contained in:
Josh Cox 2016-09-07 23:29:46 -04:00
parent 0030bda17e
commit f712ae718c

View file

@ -34,15 +34,15 @@ final class PhabricatorMonospacedFontSetting
throw new Exception(
pht(
'Monospaced font value "%s" is unsafe. You may only enter '.
'letters, numbers, spaces, commas, periods, forward slashes '.
'and double quotes.',
'letters, numbers, spaces, commas, periods, hyphens, '.
'forward slashes, and double quotes',
$value));
}
}
public static function filterMonospacedCSSRule($monospaced) {
// Prevent the user from doing dangerous things.
return preg_replace('([^a-z0-9 ,"./]+)i', '', $monospaced);
return preg_replace('([^a-z0-9 ,"./-]+)i', '', $monospaced);
}
}