phorge-phorge

mirror of https://we.phorge.it/source/phorge.git synced 2024-11-25 00:02:41 +01:00

History

epriestley 88ae246593 Write search bolding in a way which is certainly HTML-safe Summary: This algorithm is tricky, and uses `phutil_safe_html()` directly, which makes it potentially unsafe. In particular, D8859 fixes a bug with it which caused it to produce non-utf8 output. This doesn't guarantee it's a security problem, but does make it suspicious. I don't actually see a way to break it, but rewrite it so that it's absolutely bulletproof and does not need to call `phutil_safe_html()`. Test Plan: {F147487} @rugabarbo, if you have a chance, can you check if this still works for you? Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley, rugabarbo Differential Revision: https://secure.phabricator.com/D8862	2014-04-26 12:44:16 -07:00
..
PhabricatorSearchResultView.php	Write search bolding in a way which is certainly HTML-safe	2014-04-26 12:44:16 -07:00

epriestley 88ae246593 Write search bolding in a way which is certainly HTML-safe

Summary:
This algorithm is tricky, and uses `phutil_safe_html()` directly, which makes it potentially unsafe.

In particular, D8859 fixes a bug with it which caused it to produce non-utf8 output. This doesn't guarantee it's a security problem, but does make it suspicious.

I don't actually see a way to break it, but rewrite it so that it's absolutely bulletproof and does not need to call `phutil_safe_html()`.

Test Plan:
{F147487}

@rugabarbo, if you have a chance, can you check if this still works for you?

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley, rugabarbo

Differential Revision: https://secure.phabricator.com/D8862

2014-04-26 12:44:16 -07:00

PhabricatorSearchResultView.php

Write search bolding in a way which is certainly HTML-safe

2014-04-26 12:44:16 -07:00