archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Defuse XSS in Calendar

Browse Source 
Summary: `addDetail()` takes HTML because we have links there fairly often. :/ This design is iffy.

Test Plan: Reloaded `/calendar/status/`, verified no XSS.

Reviewers: btrahan, vrana

Reviewed By: vrana

CC: aran

Maniphest Tasks: T139

Differential Revision: https://secure.phabricator.com/D4074
This commit is contained in:
epriestley
2012-12-03 16:46:56 -08:00
parent 27785c4f75
commit 02e8a322dc
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/applications/calendar/controller/PhabricatorCalendarViewStatusController.php
View File

@@ -73,7 +73,7 @@ final class PhabricatorCalendarViewStatusController
->setHref($href) ->setHref($href)
->addDetail( ->addDetail(
pht('Description'), pht('Description'),
$status->getDescription()) phutil_escape_html($status->getDescription()))
->addAttribute(pht('From %s', $from)) ->addAttribute(pht('From %s', $from))
->addAttribute(pht('To %s', $to)); ->addAttribute(pht('To %s', $to));