From 02e8a322dc58cedbb62098fff1ea4d45d7a5eb45 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Mon, 3 Dec 2012 16:46:56 -0800
Subject: [PATCH] Defuse XSS in Calendar

Summary: `addDetail()` takes HTML because we have links there fairly often. :/ This design is iffy.

Test Plan: Reloaded `/calendar/status/`, verified no XSS.

Reviewers: btrahan, vrana

Reviewed By: vrana

CC: aran

Maniphest Tasks: T139

Differential Revision: https://secure.phabricator.com/D4074
---
 .../controller/PhabricatorCalendarViewStatusController.php      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/applications/calendar/controller/PhabricatorCalendarViewStatusController.php b/src/applications/calendar/controller/PhabricatorCalendarViewStatusController.php
index 79943839de..eb285754d0 100644
--- a/src/applications/calendar/controller/PhabricatorCalendarViewStatusController.php
+++ b/src/applications/calendar/controller/PhabricatorCalendarViewStatusController.php
@@ -73,7 +73,7 @@ final class PhabricatorCalendarViewStatusController
         ->setHref($href)
         ->addDetail(
           pht('Description'),
-          $status->getDescription())
+          phutil_escape_html($status->getDescription()))
         ->addAttribute(pht('From %s', $from))
         ->addAttribute(pht('To %s', $to));