recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Disallow <! in <script>

Summary:
HTML5 has this crazy script escaping states:

- Script data escaped dash dash state
- Script data double escaped state

https://communities.coverity.com/blogs/security/2012/11/16/did-i-do-that-html-5-js-escapers-3

Perhaps `<!` is too aggressive but I didn't spend much time searching for a more fine grained expression.

Test Plan: Searched for `renderInlineScript()`.

Reviewers: epriestley

Reviewed By: epriestley

CC: Korvin, epriestley, aran

Differential Revision: https://secure.phabricator.com/D7329

Jakub Vrana 29391a65 d34143c7

+6
+1
src/applications/differential/controller/DifferentialRevisionViewController.php
··· 51 51 $diff_vs = $request->getInt('vs'); 52 52 53 53 $target_id = $request->getInt('id'); 54 + phlog($target_id); 54 55 $target = idx($diffs, $target_id, end($diffs)); 55 56 56 57 $target_manual = $target;
+2
src/applications/differential/view/DifferentialRevisionUpdateHistoryView.php
··· 89 89 $new = null; 90 90 } 91 91 92 + phlog($this->selectedVersusDiffID, $this->selectedDiffID); 93 + 92 94 if ($max_id != $id) { 93 95 $uniq = celerity_generate_unique_node_id(); 94 96 $old_checked = ($this->selectedVersusDiffID == $id);
+3
src/infrastructure/celerity/CelerityStaticResourceResponse.php
··· 193 193 throw new Exception( 194 194 'Literal </script> is not allowed inside inline script.'); 195 195 } 196 + if (strpos($data, '<!') !== false) { 197 + throw new Exception('Literal <! is not allowed inside inline script.'); 198 + } 196 199 return hsprintf( 197 200 // We don't use <![CDATA[ ]]> because it is ignored by HTML parsers. We 198 201 // would need to send the document with XHTML content type.