From ac029d0a50e7b5460f3cacfaa78ad96c10f1dd33 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Fri, 20 Mar 2015 14:54:35 -0700
Subject: [PATCH] Fix a self-XSS hole in Diffusion

Summary:
Via HackerOne. We aren't correctly escaping the date, so a user can XSS themselves by setting their date format creatively.

This construction is very unusual and I don't think we do anything similar elsewhere, so I can't come up with a systematic change which would prevent this in the general case.

Test Plan: Set date format to tag junk, got self-XSS before patch and proper escaping after the patch.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D12117
---
 .../controller/DiffusionLastModifiedController.php          | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/applications/diffusion/controller/DiffusionLastModifiedController.php b/src/applications/diffusion/controller/DiffusionLastModifiedController.php
index ca1b738807..58b60995d4 100644
--- a/src/applications/diffusion/controller/DiffusionLastModifiedController.php
+++ b/src/applications/diffusion/controller/DiffusionLastModifiedController.php
@@ -153,6 +153,12 @@ final class DiffusionLastModifiedController extends DiffusionController {
         number_format($lint));
     }
 
+    // The client treats these results as markup, so make sure they have been
+    // escaped correctly.
+    foreach ($return as $key => $value) {
+      $return[$key] = hsprintf('%s', $value);
+    }
+
     return $return;
   }