mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-21 13:00:56 +01:00
Added -
to the whitelist for CSS rules
Summary: Fixes T11567. This way people can use things like `sans-serif` and `-webkit-small-control` for their "monospaced" font Test Plan: I added the hyphen to the regex then was able to set my Monospaced Font to be anything with a hyphen in it. I also tried to break it pretty extensively, but couldn't find anything that would let me write malicious CSS or JS. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: epriestley, yelirekim Maniphest Tasks: T11567 Differential Revision: https://secure.phabricator.com/D16519
This commit is contained in:
parent
0030bda17e
commit
f712ae718c
1 changed files with 3 additions and 3 deletions
|
@ -34,15 +34,15 @@ final class PhabricatorMonospacedFontSetting
|
|||
throw new Exception(
|
||||
pht(
|
||||
'Monospaced font value "%s" is unsafe. You may only enter '.
|
||||
'letters, numbers, spaces, commas, periods, forward slashes '.
|
||||
'and double quotes.',
|
||||
'letters, numbers, spaces, commas, periods, hyphens, '.
|
||||
'forward slashes, and double quotes',
|
||||
$value));
|
||||
}
|
||||
}
|
||||
|
||||
public static function filterMonospacedCSSRule($monospaced) {
|
||||
// Prevent the user from doing dangerous things.
|
||||
return preg_replace('([^a-z0-9 ,"./]+)i', '', $monospaced);
|
||||
return preg_replace('([^a-z0-9 ,"./-]+)i', '', $monospaced);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue