mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-24 15:52:41 +01:00
(stable) Fix an XSS issue where Diffusion files exceeding the highlighting byte limit were not properly escaped
Fixes T11257. Auditors: chad
This commit is contained in:
parent
a31815bc1c
commit
fd33fbbfae
1 changed files with 8 additions and 4 deletions
|
@ -682,17 +682,21 @@ final class DiffusionBrowseController extends DiffusionController {
|
||||||
$blame_commits,
|
$blame_commits,
|
||||||
$show_blame);
|
$show_blame);
|
||||||
} else {
|
} else {
|
||||||
if ($can_highlight) {
|
|
||||||
require_celerity_resource('syntax-highlighting-css');
|
require_celerity_resource('syntax-highlighting-css');
|
||||||
|
|
||||||
|
if (!$can_highlight) {
|
||||||
$highlighted = PhabricatorSyntaxHighlighter::highlightWithFilename(
|
$highlighted = PhabricatorSyntaxHighlighter::highlightWithFilename(
|
||||||
$path,
|
$path,
|
||||||
$file_corpus);
|
$file_corpus);
|
||||||
$lines = phutil_split_lines($highlighted);
|
|
||||||
} else {
|
} else {
|
||||||
$lines = phutil_split_lines($file_corpus);
|
// Highlight as plain text to escape the content properly.
|
||||||
|
$highlighted = PhabricatorSyntaxHighlighter::highlightWithLanguage(
|
||||||
|
'txt',
|
||||||
|
$file_corpus);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$lines = phutil_split_lines($highlighted);
|
||||||
|
|
||||||
$rows = $this->buildDisplayRows(
|
$rows = $this->buildDisplayRows(
|
||||||
$lines,
|
$lines,
|
||||||
$blame_list,
|
$blame_list,
|
||||||
|
|
Loading…
Reference in a new issue