From fe4d717cc724d462f005f3bc49fcf3ed26c5a80a Mon Sep 17 00:00:00 2001
From: vrana <jakubv@fb.com>
Date: Thu, 2 Feb 2012 17:06:02 -0800
Subject: [PATCH] Escape result of PhabricatorOAuthProvider::getProviderName()

Test Plan: /settings/page/facebook/

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1556
---
 .../login/PhabricatorLoginController.php         | 12 +++++++-----
 .../auth/controller/login/__init__.php           |  1 +
 .../oauth/PhabricatorOAuthLoginController.php    |  7 ++++---
 .../auth/controller/oauth/__init__.php           |  1 +
 .../unlink/PhabricatorOAuthUnlinkController.php  |  3 +--
 .../oauthfailure/PhabricatorOAuthFailureView.php |  6 +++---
 ...abricatorUserOAuthSettingsPanelController.php | 16 +++++++++-------
 .../settings/panels/oauth/__init__.php           |  1 +
 8 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/src/applications/auth/controller/login/PhabricatorLoginController.php b/src/applications/auth/controller/login/PhabricatorLoginController.php
index f0c8f54d5f..0cfffcc5ad 100644
--- a/src/applications/auth/controller/login/PhabricatorLoginController.php
+++ b/src/applications/auth/controller/login/PhabricatorLoginController.php
@@ -198,14 +198,16 @@ class PhabricatorLoginController extends PhabricatorAuthController {
 
       if ($provider->isProviderRegistrationEnabled()) {
         $title = "Login or Register with {$provider_name}";
-        $body = "Login or register for Phabricator using your ".
-                "{$provider_name} account.";
+        $body = 'Login or register for Phabricator using your '.
+                phutil_escape_html($provider_name).' account.';
         $button = "Login or Register with {$provider_name}";
       } else {
         $title = "Login with {$provider_name}";
-        $body = "Login to your existing Phabricator account using your ".
-                "{$provider_name} account.<br /><br /><strong>You can not use ".
-                "{$provider_name} to register a new account.</strong>";
+        $body = 'Login to your existing Phabricator account using your '.
+                phutil_escape_html($provider_name).' account.<br /><br />'.
+                '<strong>You can not use '.
+                phutil_escape_html($provider_name).' to register a new '.
+                'account.</strong>';
         $button = "Login with {$provider_name}";
       }
 
diff --git a/src/applications/auth/controller/login/__init__.php b/src/applications/auth/controller/login/__init__.php
index 9eb25e964c..489302687f 100644
--- a/src/applications/auth/controller/login/__init__.php
+++ b/src/applications/auth/controller/login/__init__.php
@@ -21,6 +21,7 @@ phutil_require_module('phabricator', 'view/form/control/text');
 phutil_require_module('phabricator', 'view/form/error');
 phutil_require_module('phabricator', 'view/layout/panel');
 
+phutil_require_module('phutil', 'markup');
 phutil_require_module('phutil', 'parser/uri');
 phutil_require_module('phutil', 'utils');
 
diff --git a/src/applications/auth/controller/oauth/PhabricatorOAuthLoginController.php b/src/applications/auth/controller/oauth/PhabricatorOAuthLoginController.php
index 85989967ef..a0207e650b 100644
--- a/src/applications/auth/controller/oauth/PhabricatorOAuthLoginController.php
+++ b/src/applications/auth/controller/oauth/PhabricatorOAuthLoginController.php
@@ -41,7 +41,7 @@ class PhabricatorOAuthLoginController extends PhabricatorAuthController {
       return new Aphront400Response();
     }
 
-    $provider_name = $provider->getProviderName();
+    $provider_name = phutil_escape_html($provider->getProviderName());
     $provider_key = $provider->getProviderKey();
 
     $request = $this->getRequest();
@@ -113,7 +113,7 @@ class PhabricatorOAuthLoginController extends PhabricatorAuthController {
       if (!$request->isDialogFormPost()) {
         $dialog = new AphrontDialogView();
         $dialog->setUser($current_user);
-        $dialog->setTitle('Link '.$provider_name.' Account');
+        $dialog->setTitle('Link '.$provider->getProviderName().' Account');
         $dialog->appendChild(
           '<p>Link your '.$provider_name.' account to your Phabricator '.
           'account?</p>');
@@ -184,7 +184,8 @@ class PhabricatorOAuthLoginController extends PhabricatorAuthController {
     if (!$provider->isProviderRegistrationEnabled()) {
       $dialog = new AphrontDialogView();
       $dialog->setUser($current_user);
-      $dialog->setTitle('No Account Registration With '.$provider_name);
+      $dialog->setTitle('No Account Registration With '.
+        $provider->getProviderName());
       $dialog->appendChild(
         '<p>You can not register a new account using '.$provider_name.'; '.
         'you can only use your '.$provider_name.' account to log into an '.
diff --git a/src/applications/auth/controller/oauth/__init__.php b/src/applications/auth/controller/oauth/__init__.php
index 034e422097..f0c1759213 100644
--- a/src/applications/auth/controller/oauth/__init__.php
+++ b/src/applications/auth/controller/oauth/__init__.php
@@ -18,6 +18,7 @@ phutil_require_module('phabricator', 'applications/people/storage/useroauthinfo'
 phutil_require_module('phabricator', 'infrastructure/env');
 phutil_require_module('phabricator', 'view/dialog');
 
+phutil_require_module('phutil', 'markup');
 phutil_require_module('phutil', 'parser/uri');
 phutil_require_module('phutil', 'symbols');
 phutil_require_module('phutil', 'utils');
diff --git a/src/applications/auth/controller/unlink/PhabricatorOAuthUnlinkController.php b/src/applications/auth/controller/unlink/PhabricatorOAuthUnlinkController.php
index dcf0248f06..d94c9af343 100644
--- a/src/applications/auth/controller/unlink/PhabricatorOAuthUnlinkController.php
+++ b/src/applications/auth/controller/unlink/PhabricatorOAuthUnlinkController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright 2011 Facebook, Inc.
+ * Copyright 2012 Facebook, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,7 +35,6 @@ class PhabricatorOAuthUnlinkController extends PhabricatorAuthController {
         "You may not unlink accounts from this OAuth provider.");
     }
 
-    $provider_name = $provider->getProviderName();
     $provider_key = $provider->getProviderKey();
 
     $oauth_info = id(new PhabricatorUserOAuthInfo())->loadOneWhere(
diff --git a/src/applications/auth/view/oauthfailure/PhabricatorOAuthFailureView.php b/src/applications/auth/view/oauthfailure/PhabricatorOAuthFailureView.php
index c25d571e65..5808c2358b 100644
--- a/src/applications/auth/view/oauthfailure/PhabricatorOAuthFailureView.php
+++ b/src/applications/auth/view/oauthfailure/PhabricatorOAuthFailureView.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright 2011 Facebook, Inc.
+ * Copyright 2012 Facebook, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,12 +34,12 @@ class PhabricatorOAuthFailureView extends AphrontView {
   public function render() {
     $request = $this->request;
     $provider = $this->provider;
-    $provider_name = $provider->getProviderName();
+    $provider_name = phutil_escape_html($provider->getProviderName());
 
     $diagnose = null;
 
     $view = new AphrontRequestFailureView();
-    $view->setHeader($provider_name.' Auth Failed');
+    $view->setHeader($provider->getProviderName().' Auth Failed');
     if ($this->request) {
       $view->appendChild(
         '<p>'.
diff --git a/src/applications/people/controller/settings/panels/oauth/PhabricatorUserOAuthSettingsPanelController.php b/src/applications/people/controller/settings/panels/oauth/PhabricatorUserOAuthSettingsPanelController.php
index b406a08a35..54444dcaa3 100644
--- a/src/applications/people/controller/settings/panels/oauth/PhabricatorUserOAuthSettingsPanelController.php
+++ b/src/applications/people/controller/settings/panels/oauth/PhabricatorUserOAuthSettingsPanelController.php
@@ -52,9 +52,9 @@ class PhabricatorUserOAuthSettingsPanelController
       $form
         ->appendChild(
           '<p class="aphront-form-instructions">There is currently no '.
-          $provider_name.' account linked to your Phabricator account. You '.
-          'can link an account, which will allow you to use it to log into '.
-          'Phabricator.</p>');
+          phutil_escape_html($provider_name).' account linked to your '.
+          'Phabricator account. You can link an account, which will allow you '.
+          'to use it to log into Phabricator.</p>');
 
       $auth_uri = $provider->getAuthURI();
       $client_id = $provider->getClientID();
@@ -80,8 +80,9 @@ class PhabricatorUserOAuthSettingsPanelController
       $form
         ->appendChild(
           '<p class="aphront-form-instructions">Your account is linked with '.
-          'a '.$provider_name.' account. You may use your '.$provider_name.' '.
-          'credentials to log into Phabricator.</p>')
+          'a '.phutil_escape_html($provider_name).' account. You may use your '.
+          phutil_escape_html($provider_name).' credentials to log into '.
+          'Phabricator.</p>')
         ->appendChild(
           id(new AphrontFormStaticControl())
             ->setLabel($provider_name.' ID')
@@ -102,8 +103,9 @@ class PhabricatorUserOAuthSettingsPanelController
           ->setUser($user)
           ->appendChild(
             '<p class="aphront-form-instructions">You may unlink this account '.
-            'from your '.$provider_name.' account. This will prevent you from '.
-            'logging in with your '.$provider_name.' credentials.</p>')
+            'from your '.phutil_escape_html($provider_name).' account. This '.
+            'will prevent you from logging in with your '.
+            phutil_escape_html($provider_name).' credentials.</p>')
           ->appendChild(
             id(new AphrontFormSubmitControl())
               ->addCancelButton('/oauth/'.$provider_key.'/unlink/', $unlink));
diff --git a/src/applications/people/controller/settings/panels/oauth/__init__.php b/src/applications/people/controller/settings/panels/oauth/__init__.php
index ff727a2068..ab67b72259 100644
--- a/src/applications/people/controller/settings/panels/oauth/__init__.php
+++ b/src/applications/people/controller/settings/panels/oauth/__init__.php
@@ -15,6 +15,7 @@ phutil_require_module('phabricator', 'view/layout/panel');
 phutil_require_module('phabricator', 'view/null');
 phutil_require_module('phabricator', 'view/utils');
 
+phutil_require_module('phutil', 'markup');
 phutil_require_module('phutil', 'utils');