Revert "Promote phutil-tag again" · recaptime.dev/phorge@73cce6e

+1 -1

src/aphront/AphrontRequest.php

··· 9 9 final class AphrontRequest { 10 10 11 11 // NOTE: These magic request-type parameters are automatically included in 12 - // certain requests (e.g., by phabricator_form(), JX.Request, 12 + // certain requests (e.g., by phabricator_render_form(), JX.Request, 13 13 // JX.Workflow, and ConduitClient) and help us figure out what sort of 14 14 // response the client expects. 15 15

+14 -17

src/aphront/configuration/AphrontDefaultApplicationConfiguration.php

··· 210 210 211 211 if ($ex instanceof AphrontUsageException) { 212 212 $error = new AphrontErrorView(); 213 - $error->setTitle($ex->getTitle()); 213 + $error->setTitle(phutil_escape_html($ex->getTitle())); 214 214 $error->appendChild($ex->getMessage()); 215 215 216 216 $view = new PhabricatorStandardPageView(); ··· 227 227 // Always log the unhandled exception. 228 228 phlog($ex); 229 229 230 - $class = get_class($ex); 231 - $message = $ex->getMessage(); 230 + $class = phutil_escape_html(get_class($ex)); 231 + $message = phutil_escape_html($ex->getMessage()); 232 232 233 233 if ($ex instanceof AphrontQuerySchemaException) { 234 234 $message .= ··· 244 244 $trace = null; 245 245 } 246 246 247 - $content = hsprintf( 247 + $content = 248 248 '<div class="aphront-unhandled-exception">'. 249 - '<div class="exception-message">%s</div>'. 250 - '%s'. 251 - '</div>', 252 - $message, 253 - $trace); 249 + '<div class="exception-message">'.$message.'</div>'. 250 + $trace. 251 + '</div>'; 254 252 255 253 $dialog = new AphrontDialogView(); 256 254 $dialog ··· 350 348 ), 351 349 $relative); 352 350 } 353 - $file_name = hsprintf('%s : %d', $file_name, $part['line']); 351 + $file_name = $file_name.' : '.(int)$part['line']; 354 352 } else { 355 - $file_name = phutil_tag('em', array(), '(Internal)'); 353 + $file_name = '<em>(Internal)</em>'; 356 354 } 357 355 358 356 359 357 $rows[] = array( 360 358 $depth--, 361 - $lib, 359 + phutil_escape_html($lib), 362 360 $file_name, 363 - $where, 361 + phutil_escape_html($where), 364 362 ); 365 363 } 366 364 $table = new AphrontTableView($rows); ··· 379 377 'wide', 380 378 )); 381 379 382 - return hsprintf( 380 + return 383 381 '<div class="exception-trace">'. 384 382 '<div class="exception-trace-header">Stack Trace</div>'. 385 - '%s', 386 - '</div>', 387 - $table->render()); 383 + $table->render(). 384 + '</div>'; 388 385 } 389 386 390 387 }

+14 -16

src/aphront/console/plugin/DarkConsoleErrorLogPlugin.php

··· 36 36 $data = $this->getData(); 37 37 38 38 $rows = array(); 39 - $details = array(); 39 + $details = ''; 40 40 41 41 foreach ($data as $index => $row) { 42 42 $file = $row['file']; ··· 50 50 $row['str'].' at ['.basename($file).':'.$line.']'); 51 51 $rows[] = array($tag); 52 52 53 - $details[] = hsprintf( 54 - '<div class="dark-console-panel-error-details" id="row-details-%s">'. 55 - "%s\nStack trace:\n", 56 - $index, 57 - $row['details']); 53 + $details .= 54 + '<div class="dark-console-panel-error-details" id="row-details-'. 55 + $index.'">'. 56 + phutil_escape_html($row['details'])."\n". 57 + 'Stack trace:'."\n"; 58 58 59 59 foreach ($row['trace'] as $key => $entry) { 60 60 $line = ''; ··· 73 73 } 74 74 } 75 75 76 - $details[] = phutil_tag( 76 + $details .= phutil_tag( 77 77 'a', 78 78 array( 79 79 'href' => $href, 80 80 ), 81 81 $line); 82 - $details[] = "\n"; 82 + $details .= "\n"; 83 83 } 84 84 85 - $details[] = hsprintf('</div>'); 85 + $details .= '</div>'; 86 86 } 87 87 88 88 $table = new AphrontTableView($rows); ··· 90 90 $table->setHeaders(array('Error')); 91 91 $table->setNoDataString('No errors.'); 92 92 93 - return hsprintf( 94 - '<div>'. 95 - '<div>%s</div>'. 96 - '<pre class="PhabricatorMonospaced">%s</pre>'. 97 - '</div>', 98 - $table->render(), 99 - phutil_implode_html('', $details)); 93 + return '<div>'. 94 + '<div>'.$table->render().'</div>'. 95 + '<pre class="PhabricatorMonospaced">'. 96 + $details.'</pre>'. 97 + '</div>'; 100 98 } 101 99 } 102 100

+10 -7

src/aphront/console/plugin/DarkConsoleEventPlugin.php

··· 42 42 43 43 $out = array(); 44 44 45 - $out[] = hsprintf( 45 + $out[] = 46 46 '<div class="dark-console-panel-header">'. 47 47 '<h1>Registered Event Listeners</h1>'. 48 - '</div>'); 48 + '</div>'; 49 49 50 50 $rows = array(); 51 51 foreach ($data['listeners'] as $listener) { 52 - $rows[] = array($listener['id'], $listener['class']); 52 + $rows[] = array( 53 + phutil_escape_html($listener['id']), 54 + phutil_escape_html($listener['class']), 55 + ); 53 56 } 54 57 55 58 $table = new AphrontTableView($rows); ··· 66 69 67 70 $out[] = $table->render(); 68 71 69 - $out[] = hsprintf( 72 + $out[] = 70 73 '<div class="dark-console-panel-header">'. 71 74 '<h1>Event Log</h1>'. 72 - '</div>'); 75 + '</div>'; 73 76 74 77 $rows = array(); 75 78 foreach ($data['events'] as $event) { 76 79 $rows[] = array( 77 - $event['type'], 80 + phutil_escape_html($event['type']), 78 81 $event['stopped'] ? 'STOPPED' : null, 79 82 ); 80 83 } ··· 93 96 $out[] = $table->render(); 94 97 95 98 96 - return phutil_implode_html("\n", $out); 99 + return implode("\n", $out); 97 100 } 98 101 }

+3 -3

src/aphront/console/plugin/DarkConsoleRequestPlugin.php

··· 43 43 $rows = array(); 44 44 foreach ($map as $key => $value) { 45 45 $rows[] = array( 46 - $key, 47 - (is_array($value) ? json_encode($value) : $value), 46 + phutil_escape_html($key), 47 + phutil_escape_html(is_array($value) ? json_encode($value) : $value), 48 48 ); 49 49 } 50 50 ··· 62 62 $out[] = $table->render(); 63 63 } 64 64 65 - return phutil_implode_html("\n", $out); 65 + return implode("\n", $out); 66 66 } 67 67 }

+18 -14

src/aphront/console/plugin/DarkConsoleServicesPlugin.php

··· 149 149 $log = $data['log']; 150 150 $results = array(); 151 151 152 - $results[] = hsprintf( 152 + $results[] = 153 153 '<div class="dark-console-panel-header">'. 154 - '%s'. 154 + phutil_tag( 155 + 'a', 156 + array( 157 + 'href' => $data['analyzeURI'], 158 + 'class' => $data['didAnalyze'] 159 + ? 'disabled button' 160 + : 'green button', 161 + ), 162 + 'Analyze Query Plans'). 155 163 '<h1>Calls to External Services</h1>'. 156 164 '<div style="clear: both;"></div>'. 157 - '</div>', 158 - phutil_tag( 159 - 'a', 160 - array( 161 - 'href' => $data['analyzeURI'], 162 - 'class' => $data['didAnalyze'] 163 - ? 'disabled button' 164 - : 'green button', 165 - ), 166 - 'Analyze Query Plans')); 165 + '</div>'; 167 166 168 167 $page_total = $data['end'] - $data['start']; 169 168 $totals = array(); ··· 225 224 $row['explain']['reason']); 226 225 } 227 226 227 + $info = phutil_escape_html($info); 228 228 break; 229 229 case 'connect': 230 230 $info = $row['host'].':'.$row['database']; 231 + $info = phutil_escape_html($info); 231 232 break; 232 233 case 'exec': 233 234 $info = $row['command']; 235 + $info = phutil_escape_html($info); 234 236 break; 235 237 case 'conduit': 236 238 $info = $row['method']; 239 + $info = phutil_escape_html($info); 237 240 break; 238 241 case 'http': 239 242 $info = $row['uri']; 243 + $info = phutil_escape_html($info); 240 244 break; 241 245 default: 242 246 $info = '-'; ··· 244 248 } 245 249 246 250 $rows[] = array( 247 - $row['type'], 251 + phutil_escape_html($row['type']), 248 252 '+'.number_format(1000 * ($row['begin'] - $data['start'])).' ms', 249 253 number_format(1000000 * $row['duration']).' us', 250 254 $info, ··· 272 276 273 277 $results[] = $table->render(); 274 278 275 - return phutil_implode_html("\n", $results); 279 + return implode("\n", $results); 276 280 } 277 281 } 278 282

+20 -24

src/aphront/console/plugin/DarkConsoleXHProfPlugin.php

··· 51 51 'class' => 'bright-link', 52 52 ), 53 53 'Installation Guide'); 54 - return hsprintf( 54 + return 55 55 '<div class="dark-console-no-content">'. 56 56 'The "xhprof" PHP extension is not available. Install xhprof '. 57 57 'to enable the XHProf console plugin. You can find instructions in '. 58 - 'the %s.'. 59 - '</div>', 60 - $install_guide); 58 + 'the '.$install_guide.'.'. 59 + '</div>'; 61 60 } 62 61 63 62 $result = array(); 64 63 65 - $header = hsprintf( 64 + $header = 66 65 '<div class="dark-console-panel-header">'. 67 - '%s'. 66 + phutil_tag( 67 + 'a', 68 + array( 69 + 'href' => $profile_uri, 70 + 'class' => $run 71 + ? 'disabled button' 72 + : 'green button', 73 + ), 74 + 'Profile Page'). 68 75 '<h1>XHProf Profiler</h1>'. 69 - '</div>', 70 - phutil_tag( 71 - 'a', 72 - array( 73 - 'href' => $profile_uri, 74 - 'class' => $run 75 - ? 'disabled button' 76 - : 'green button', 77 - ), 78 - 'Profile Page')); 76 + '</div>'; 79 77 $result[] = $header; 80 78 81 79 if ($run) { 82 - $result[] = hsprintf( 83 - '<a href="/xhprof/profile/%s/" '. 80 + $result[] = 81 + '<a href="/xhprof/profile/'.$run.'/" '. 84 82 'class="bright-link" '. 85 83 'style="float: right; margin: 1em 2em 0 0;'. 86 84 'font-weight: bold;" '. 87 85 'target="_blank">Profile Permalink</a>'. 88 - '<iframe src="/xhprof/profile/%s/?frame=true"></iframe>', 89 - $run, 90 - $run); 86 + '<iframe src="/xhprof/profile/'.$run.'/?frame=true"></iframe>'; 91 87 } else { 92 - $result[] = hsprintf( 88 + $result[] = 93 89 '<div class="dark-console-no-content">'. 94 90 'Profiling was not enabled for this page. Use the button above '. 95 91 'to enable it.'. 96 - '</div>'); 92 + '</div>'; 97 93 } 98 94 99 - return phutil_implode_html("\n", $result); 95 + return implode("\n", $result); 100 96 } 101 97 102 98

+1 -1

src/aphront/response/Aphront403Response.php

··· 26 26 } 27 27 $failure = new AphrontRequestFailureView(); 28 28 $failure->setHeader('403 Forbidden'); 29 - $failure->appendChild(phutil_tag('p', array(), $forbidden_text)); 29 + $failure->appendChild('<p>'.$forbidden_text.'</p>'); 30 30 31 31 $view = new PhabricatorStandardPageView(); 32 32 $view->setTitle('403 Forbidden');

+1 -2

src/aphront/response/Aphront404Response.php

··· 12 12 public function buildResponseString() { 13 13 $failure = new AphrontRequestFailureView(); 14 14 $failure->setHeader('404 Not Found'); 15 - $failure->appendChild(phutil_tag('p', array(), pht( 16 - 'The page you requested was not found.'))); 15 + $failure->appendChild('<p>The page you requested was not found.</p>'); 17 16 18 17 $view = new PhabricatorStandardPageView(); 19 18 $view->setTitle('404 Not Found');

+1 -1

src/aphront/response/AphrontWebpageResponse.php

··· 13 13 } 14 14 15 15 public function buildResponseString() { 16 - return hsprintf('%s', $this->content); 16 + return $this->content; 17 17 } 18 18 19 19 }

+2 -2

src/applications/audit/controller/PhabricatorAuditListController.php

··· 335 335 } 336 336 337 337 if ($handle) { 338 - $handle_name = $handle->getName(); 338 + $handle_name = phutil_escape_html($handle->getName()); 339 339 } else { 340 340 $handle_name = null; 341 341 } ··· 435 435 } 436 436 437 437 if ($handle) { 438 - $handle_name = $handle->getName(); 438 + $handle_name = phutil_escape_html($handle->getName()); 439 439 } else { 440 440 $handle_name = null; 441 441 }

+2 -2

src/applications/audit/view/PhabricatorAuditCommitListView.php

··· 70 70 $rows[] = array( 71 71 $commit_name, 72 72 $author_name, 73 - $commit->getCommitData()->getSummary(), 73 + phutil_escape_html($commit->getCommitData()->getSummary()), 74 74 PhabricatorAuditCommitStatusConstants::getStatusName( 75 75 $commit->getAuditStatus()), 76 - phutil_implode_html(', ', $auditors), 76 + implode(', ', $auditors), 77 77 phabricator_datetime($commit->getEpoch(), $this->user), 78 78 ); 79 79 }

+6 -3

src/applications/audit/view/PhabricatorAuditListView.php

··· 129 129 } 130 130 131 131 $reasons = $audit->getAuditReasons(); 132 - $reasons = phutil_implode_html(phutil_tag('br'), $reasons); 132 + foreach ($reasons as $key => $reason) { 133 + $reasons[$key] = phutil_escape_html($reason); 134 + } 135 + $reasons = implode('<br />', $reasons); 133 136 134 137 $status_code = $audit->getAuditStatus(); 135 138 $status = PhabricatorAuditStatusConstants::getStatusName($status_code); ··· 137 140 $auditor_handle = $this->getHandle($audit->getAuditorPHID()); 138 141 $rows[] = array( 139 142 $commit_name, 140 - $commit_desc, 143 + phutil_escape_html($commit_desc), 141 144 $committed, 142 145 $auditor_handle->renderLink(), 143 - $status, 146 + phutil_escape_html($status), 144 147 $reasons, 145 148 ); 146 149

+2 -2

src/applications/auth/controller/PhabricatorDisabledUserController.php

··· 16 16 17 17 $failure_view = new AphrontRequestFailureView(); 18 18 $failure_view->setHeader(pht('Account Disabled')); 19 - $failure_view->appendChild(phutil_tag('p', array(), pht( 20 - 'Your account has been disabled.'))); 19 + $failure_view->appendChild( 20 + '<p>'.pht('Your account has been disabled.').'</p>'); 21 21 22 22 return $this->buildStandardPageResponse( 23 23 $failure_view,

+6 -4

src/applications/auth/controller/PhabricatorEmailLoginController.php

··· 98 98 99 99 $view = new AphrontRequestFailureView(); 100 100 $view->setHeader(pht('Check Your Email')); 101 - $view->appendChild(phutil_tag('p', array(), pht( 102 - 'An email has been sent with a link you can use to login.'))); 101 + $view->appendChild( 102 + '<p>'.pht( 103 + 'An email has been sent with a link you can use to login.' 104 + ).'</p>'); 103 105 return $this->buildStandardPageResponse( 104 106 $view, 105 107 array( ··· 138 140 139 141 $panel = new AphrontPanelView(); 140 142 $panel->setWidth(AphrontPanelView::WIDTH_FORM); 141 - $panel->appendChild(phutil_tag('h1', array(), pht( 142 - 'Forgot Password / Email Login'))); 143 + $panel->appendChild(' 144 + <h1>'.pht('Forgot Password / Email Login').'</h1>'); 143 145 $panel->appendChild($email_auth); 144 146 $panel->setNoBackground(); 145 147

+8 -7

src/applications/auth/controller/PhabricatorEmailTokenController.php

··· 50 50 51 51 $view = new AphrontRequestFailureView(); 52 52 $view->setHeader(pht('Unable to Login')); 53 - $view->appendChild(phutil_tag('p', array(), pht( 54 - 'The authentication information in the link you clicked is '. 53 + $view->appendChild( 54 + '<p>'.pht('The authentication information in the link you clicked is '. 55 55 'invalid or out of date. Make sure you are copy-and-pasting the '. 56 56 'entire link into your browser. You can try again, or request '. 57 - 'a new email.'))); 58 - $view->appendChild(hsprintf( 57 + 'a new email.').'</p>'); 58 + $view->appendChild( 59 59 '<div class="aphront-failure-continue">'. 60 - '<a class="button" href="/login/email/">%s</a>'. 61 - '</div>', 62 - pht('Send Another Email'))); 60 + '<a class="button" href="/login/email/">'. 61 + pht('Send Another Email'). 62 + '</a>'. 63 + '</div>'); 63 64 64 65 return $this->buildStandardPageResponse( 65 66 $view,

+10 -8

src/applications/auth/controller/PhabricatorLDAPLoginController.php

··· 43 43 $dialog = new AphrontDialogView(); 44 44 $dialog->setUser($current_user); 45 45 $dialog->setTitle(pht('Already Linked to Another Account')); 46 - $dialog->appendChild(phutil_tag('p', array(), pht( 47 - 'The LDAP account you just authorized is already '. 46 + $dialog->appendChild( 47 + '<p>'.pht('The LDAP account you just authorized is already '. 48 48 'linked toanother Phabricator account. Before you can link it '. 49 49 'to a different LDAP account, you must unlink the old '. 50 - 'account.'))); 50 + 'account.').'</p>' 51 + ); 51 52 $dialog->addCancelButton('/settings/panel/ldap/'); 52 53 53 54 return id(new AphrontDialogResponse())->setDialog($dialog); ··· 61 62 $dialog = new AphrontDialogView(); 62 63 $dialog->setUser($current_user); 63 64 $dialog->setTitle(pht('Link LDAP Account')); 64 - $dialog->appendChild(phutil_tag('p', array(), pht( 65 - 'Link your LDAP account to your Phabricator account?'))); 65 + $dialog->appendChild( 66 + '<p>'. 67 + pht('Link your LDAP account to your Phabricator account?'). 68 + '</p>'); 66 69 $dialog->addHiddenInput('username', $request->getStr('username')); 67 70 $dialog->addHiddenInput('password', $request->getStr('password')); 68 71 $dialog->addSubmitButton(pht('Link Accounts')); ··· 131 134 132 135 $panel = new AphrontPanelView(); 133 136 $panel->setWidth(AphrontPanelView::WIDTH_FORM); 134 - $panel->appendChild(phutil_tag('h1', array(), pht('LDAP login'))); 137 + $panel->appendChild('<h1>'.pht('LDAP login').'</h1>'); 135 138 $panel->appendChild($ldap_form); 136 139 137 - $error_view = null; 138 140 if (isset($errors) && count($errors) > 0) { 139 141 $error_view = new AphrontErrorView(); 140 142 $error_view->setTitle(pht('Login Failed')); ··· 143 145 144 146 return $this->buildStandardPageResponse( 145 147 array( 146 - $error_view, 148 + isset($error_view) ? $error_view : null, 147 149 $panel, 148 150 ), 149 151 array(

+3 -3

src/applications/auth/controller/PhabricatorLDAPUnlinkController.php

··· 18 18 $dialog = new AphrontDialogView(); 19 19 $dialog->setUser($user); 20 20 $dialog->setTitle(pht('Really unlink account?')); 21 - $dialog->appendChild(phutil_tag('p', array(), pht( 22 - 'You will not be able to login using this account '. 23 - 'once you unlink it. Continue?'))); 21 + $dialog->appendChild( 22 + '<p>'.pht('You will not be able to login using this account '. 23 + 'once you unlink it. Continue?').'</p>'); 24 24 $dialog->addSubmitButton(pht('Unlink Account')); 25 25 $dialog->addCancelButton('/settings/panel/ldap/'); 26 26

+5 -5

src/applications/auth/controller/PhabricatorLoginController.php

··· 29 29 $dialog = new AphrontDialogView(); 30 30 $dialog->setUser($user); 31 31 $dialog->setTitle(pht('Login Required')); 32 - $dialog->appendChild(phutil_tag('p', array(), pht( 33 - 'You must login to continue.'))); 32 + $dialog->appendChild('<p>'.pht('You must login to continue.').'</p>'); 34 33 $dialog->addSubmitButton(pht('Login')); 35 34 $dialog->addCancelButton('/', pht('Cancel')); 36 35 ··· 247 246 $title = pht("Login or Register with %s", $provider_name); 248 247 $body = pht('Login or register for Phabricator using your %s account.', 249 248 $provider_name); 250 - $button = pht("Login or Register with %s", $provider_name); 249 + $button = pht("Login or Register with %s", 250 + phutil_escape_html($provider_name)); 251 251 } else { 252 252 $title = pht("Login with %s", $provider_name); 253 253 $body = hsprintf( ··· 258 258 pht( 259 259 'You can not use %s to register a new account.', 260 260 $provider_name)); 261 - $button = pht("Log in with %s", $provider_name); 261 + $button = pht("Log in with %s", phutil_escape_html($provider_name)); 262 262 } 263 263 264 264 $auth_form = new AphrontFormView(); ··· 299 299 return $this->buildApplicationPage( 300 300 array( 301 301 $error_view, 302 - phutil_safe_html($login_message), 302 + $login_message, 303 303 $panel, 304 304 ), 305 305 array(

+7 -11

src/applications/auth/controller/PhabricatorLoginValidateController.php

··· 49 49 50 50 $view = new AphrontRequestFailureView(); 51 51 $view->setHeader(pht('Login Failed')); 52 - $view->appendChild(hsprintf( 53 - '<p>%s</p>%s<p>%s</p>', 54 - pht('Login failed:'), 55 - $list, 56 - pht( 57 - '<strong>Clear your cookies</strong> and try again.', 58 - hsprintf('')))); 59 - $view->appendChild(hsprintf( 52 + $view->appendChild( 53 + '<p>'.pht('Login failed:').'</p>'. 54 + $list. 55 + '<p>'.pht('<strong>Clear your cookies</strong> and try again.').'</p>'); 56 + $view->appendChild( 60 57 '<div class="aphront-failure-continue">'. 61 - '<a class="button" href="/login/">%s</a>'. 62 - '</div>', 63 - pht('Try Again'))); 58 + '<a class="button" href="/login/">'.pht('Try Again').'</a>'. 59 + '</div>'); 64 60 return $this->buildStandardPageResponse( 65 61 $view, 66 62 array(

+1 -2

src/applications/auth/controller/PhabricatorLogoutController.php

··· 46 46 $dialog = id(new AphrontDialogView()) 47 47 ->setUser($user) 48 48 ->setTitle(pht('Log out of Phabricator?')) 49 - ->appendChild(phutil_tag('p', array(), pht( 50 - 'Are you sure you want to log out?'))) 49 + ->appendChild('<p>'.pht('Are you sure you want to log out?').'</p>') 51 50 ->addSubmitButton(pht('Logout')) 52 51 ->addCancelButton('/'); 53 52

+22 -17

src/applications/auth/controller/PhabricatorMustVerifyEmailController.php

··· 41 41 42 42 $error_view = new AphrontRequestFailureView(); 43 43 $error_view->setHeader(pht('Check Your Email')); 44 - $error_view->appendChild(phutil_tag('p', array(), pht( 45 - 'You must verify your email address to login. You should have a new '. 44 + $error_view->appendChild( 45 + '<p>'. 46 + pht('You must verify your email address to login. You should have a new '. 46 47 'email message from Phabricator with verification instructions in your '. 47 - 'inbox (%s).', phutil_tag('strong', array(), $email_address)))); 48 - $error_view->appendChild(phutil_tag('p', array(), pht( 49 - 'If you did not receive an email, you can click the button below '. 50 - 'to try sending another one.'))); 51 - $error_view->appendChild(hsprintf( 52 - '<div class="aphront-failure-continue">%s</div>', 53 - phabricator_form( 54 - $user, 55 - array( 56 - 'action' => '/login/mustverify/', 57 - 'method' => 'POST', 58 - ), 59 - phutil_tag( 60 - 'button', 48 + 'inbox (%s).', phutil_tag('strong', array(), $email_address)). 49 + '</p>'); 50 + $error_view->appendChild( 51 + '<p>'. 52 + pht('If you did not receive an email, you can click the button below '. 53 + 'to try sending another one.'). 54 + '</p>'); 55 + $error_view->appendChild( 56 + '<div class="aphront-failure-continue">'. 57 + phabricator_form( 58 + $user, 61 59 array( 60 + 'action' => '/login/mustverify/', 61 + 'method' => 'POST', 62 62 ), 63 - pht('Send Another Email'))))); 63 + phutil_tag( 64 + 'button', 65 + array( 66 + ), 67 + pht('Send Another Email'))). 68 + '</div>'); 64 69 65 70 66 71 return $this->buildApplicationPage(

+11 -11

src/applications/auth/controller/PhabricatorOAuthDiagnosticsController.php

··· 21 21 $client_id = $provider->getClientID(); 22 22 $client_secret = $provider->getClientSecret(); 23 23 $key = $provider->getProviderKey(); 24 - $name = $provider->getProviderName(); 24 + $name = phutil_escape_html($provider->getProviderName()); 25 25 26 - $res_ok = hsprintf('<strong style="color: #00aa00;">OK</strong>'); 27 - $res_no = hsprintf('<strong style="color: #aa0000;">NO</strong>'); 28 - $res_na = hsprintf('<strong style="color: #999999;">N/A</strong>'); 26 + $res_ok = '<strong style="color: #00aa00;">OK</strong>'; 27 + $res_no = '<strong style="color: #aa0000;">NO</strong>'; 28 + $res_na = '<strong style="color: #999999;">N/A</strong>'; 29 29 30 30 $results = array(); 31 31 $auth_key = $key . '.auth-enabled'; ··· 159 159 $rows = array(); 160 160 foreach ($results as $key => $result) { 161 161 $rows[] = array( 162 - $key, 162 + phutil_escape_html($key), 163 163 $result[0], 164 - $result[1], 165 - $result[2], 164 + phutil_escape_html($result[1]), 165 + phutil_escape_html($result[2]), 166 166 ); 167 167 } 168 168 ··· 186 186 187 187 $panel_view = new AphrontPanelView(); 188 188 $panel_view->setHeader($title); 189 - $panel_view->appendChild(hsprintf( 189 + $panel_view->appendChild( 190 190 '<p class="aphront-panel-instructions">These tests may be able to '. 191 - 'help diagnose the root cause of problems you experience with %s '. 192 - 'Authentication. Reload the page to run the tests again.</p>', 193 - $provider->getProviderName())); 191 + 'help diagnose the root cause of problems you experience with '. 192 + $provider->getProviderName() . 193 + ' Authentication. Reload the page to run the tests again.</p>'); 194 194 $panel_view->appendChild($table_view); 195 195 196 196 return $this->buildStandardPageResponse(

+4 -3

src/applications/auth/controller/PhabricatorOAuthLoginController.php

··· 116 116 $dialog = new AphrontDialogView(); 117 117 $dialog->setUser($current_user); 118 118 $dialog->setTitle(pht('Link %s Account', $provider_name)); 119 - $dialog->appendChild(phutil_tag('p', array(), pht( 120 - 'Link your %s account to your Phabricator account?', 121 - $provider_name))); 119 + $dialog->appendChild( 120 + pht( 121 + '<p>Link your %s account to your Phabricator account?</p>', 122 + phutil_escape_html($provider_name))); 122 123 $dialog->addHiddenInput('confirm_token', $provider->getAccessToken()); 123 124 $dialog->addHiddenInput('expires', $oauth_info->getTokenExpires()); 124 125 $dialog->addHiddenInput('state', $this->oauthState);

+3 -3

src/applications/auth/controller/PhabricatorOAuthUnlinkController.php

··· 34 34 $dialog = new AphrontDialogView(); 35 35 $dialog->setUser($user); 36 36 $dialog->setTitle(pht('Really unlink account?')); 37 - $dialog->appendChild(phutil_tag('p', array(), pht( 38 - 'You will not be able to login using this account '. 39 - 'once you unlink it. Continue?'))); 37 + $dialog->appendChild( 38 + '<p>'.pht('You will not be able to login using this account '. 39 + 'once you unlink it. Continue?').'</p>'); 40 40 $dialog->addSubmitButton(pht('Unlink Account')); 41 41 $dialog->addCancelButton($provider->getSettingsPanelURI()); 42 42

+4 -5

src/applications/auth/view/PhabricatorOAuthFailureView.php

··· 77 77 $provider_name); 78 78 } 79 79 80 - $view->appendChild(hsprintf( 80 + $view->appendChild( 81 81 '<div class="aphront-failure-continue">'. 82 - '%s<a href="/login/" class="button">%s</a>'. 83 - '</div>', 84 - $diagnose, 85 - pht('Continue'))); 82 + $diagnose. 83 + '<a href="/login/" class="button">'.pht('Continue').'</a>'. 84 + '</div>'); 86 85 87 86 return $view->render(); 88 87 }

+5 -4

src/applications/base/controller/PhabricatorController.php

··· 203 203 $view = new PhabricatorStandardPageView(); 204 204 $view->setRequest($request); 205 205 $view->setController($this); 206 - $view->appendChild(hsprintf( 207 - '<div style="padding: 2em 0;">%s</div>', 208 - $response->buildResponseString())); 206 + $view->appendChild( 207 + '<div style="padding: 2em 0;">'. 208 + $response->buildResponseString(). 209 + '</div>'); 209 210 $response = new AphrontWebpageResponse(); 210 211 $response->setContent($view->render()); 211 212 return $response; ··· 276 277 $items[] = $this->getHandle($phid)->renderLink(); 277 278 } 278 279 279 - return phutil_implode_html($style_map[$style], $items); 280 + return array_interleave($style_map[$style], $items); 280 281 } 281 282 282 283 protected function buildApplicationMenu() {

+3 -1

src/applications/calendar/controller/PhabricatorCalendarBrowseController.php

··· 55 55 $nav->appendChild( 56 56 array( 57 57 $this->getNoticeView(), 58 - hsprintf('<div style="padding: 20px;">%s</div>', $month_view->render()), 58 + '<div style="padding: 20px;">', 59 + $month_view, 60 + '</div>', 59 61 )); 60 62 61 63 return $this->buildApplicationPage(

+2 -2

src/applications/calendar/controller/PhabricatorCalendarViewStatusController.php

··· 94 94 } else { 95 95 $no_data = 96 96 pht('%s does not have any upcoming status events.', 97 - $this->getHandle($this->phid)->getName()); 97 + phutil_escape_html($this->getHandle($this->phid)->getName())); 98 98 } 99 99 return $no_data; 100 100 } ··· 115 115 } else { 116 116 $page_title = pht( 117 117 'Upcoming Statuses for %s', 118 - $this->getHandle($this->phid)->getName() 118 + phutil_escape_html($this->getHandle($this->phid)->getName()) 119 119 ); 120 120 } 121 121 return $page_title;

+34 -41

src/applications/calendar/view/AphrontCalendarMonthView.php

··· 48 48 49 49 $markup = array(); 50 50 51 - $empty_box = phutil_tag( 52 - 'div', 53 - array('class' => 'aphront-calendar-day aphront-calendar-empty'), 54 - ''); 51 + $empty_box = 52 + '<div class="aphront-calendar-day aphront-calendar-empty">'. 53 + '</div>'; 55 54 56 55 for ($ii = 0; $ii < $empty; $ii++) { 57 56 $markup[] = $empty_box; ··· 80 79 } else { 81 80 $show_events = array_fill_keys( 82 81 array_keys($show_events), 83 - hsprintf( 84 - '<div class="aphront-calendar-event aphront-calendar-event-empty">'. 85 - ' '. 86 - '</div>')); 82 + '<div class="aphront-calendar-event aphront-calendar-event-empty">'. 83 + ' '. 84 + '</div>'); 87 85 } 88 86 89 87 foreach ($events as $event) { ··· 102 100 103 101 $holiday_markup = null; 104 102 if ($holiday) { 105 - $name = $holiday->getName(); 106 - $holiday_markup = phutil_tag( 107 - 'div', 108 - array( 109 - 'class' => 'aphront-calendar-holiday', 110 - 'title' => $name, 111 - ), 112 - $name); 103 + $name = phutil_escape_html($holiday->getName()); 104 + $holiday_markup = 105 + '<div class="aphront-calendar-holiday" title="'.$name.'">'. 106 + $name. 107 + '</div>'; 113 108 } 114 109 115 - $markup[] = hsprintf( 116 - '<div class="%s">'. 117 - '<div class="aphront-calendar-date-number">%s</div>'. 118 - '%s%s'. 119 - '</div>', 120 - $class, 121 - $day_number, 122 - $holiday_markup, 123 - phutil_implode_html("\n", $show_events)); 110 + $markup[] = 111 + '<div class="'.$class.'">'. 112 + '<div class="aphront-calendar-date-number">'. 113 + $day_number. 114 + '</div>'. 115 + $holiday_markup. 116 + implode("\n", $show_events). 117 + '</div>'; 124 118 } 125 119 126 120 $table = array(); 127 121 $rows = array_chunk($markup, 7); 128 122 foreach ($rows as $row) { 129 - $table[] = hsprintf('<tr>'); 123 + $table[] = '<tr>'; 130 124 while (count($row) < 7) { 131 125 $row[] = $empty_box; 132 126 } 133 127 foreach ($row as $cell) { 134 - $table[] = phutil_tag('p', array(), $cell); 128 + $table[] = '<td>'.$cell.'</td>'; 135 129 } 136 - $table[] = hsprintf('</tr>'); 130 + $table[] = '</tr>'; 137 131 } 138 - $table = hsprintf( 132 + $table = 139 133 '<table class="aphront-calendar-view">'. 140 - '%s'. 134 + $this->renderCalendarHeader($first). 141 135 '<tr class="aphront-calendar-day-of-week-header">'. 142 136 '<th>Sun</th>'. 143 137 '<th>Mon</th>'. ··· 147 141 '<th>Fri</th>'. 148 142 '<th>Sat</th>'. 149 143 '</tr>'. 150 - '%s'. 151 - '</table>', 152 - $this->renderCalendarHeader($first), 153 - phutil_implode_html("\n", $table)); 144 + implode("\n", $table). 145 + '</table>'; 154 146 155 147 return $table; 156 148 } ··· 181 173 "\xE2\x86\x92" 182 174 ); 183 175 184 - $left_th = phutil_tag('th', array(), $prev_link); 185 - $right_th = phutil_tag('th', array(), $next_link); 176 + $left_th = '<th>'.$prev_link.'</th>'; 177 + $right_th = '<th>'.$next_link.'</th>'; 186 178 } 187 179 188 - return hsprintf( 189 - '<tr class="aphront-calendar-month-year-header">%s%s%s</tr>', 190 - $left_th, 191 - phutil_tag('th', array('colspan' => $colspan), $date->format('F Y')), 192 - $right_th); 180 + return 181 + '<tr class="aphront-calendar-month-year-header">'. 182 + $left_th. 183 + '<th colspan="'.$colspan.'">'.$date->format('F Y').'</th>'. 184 + $right_th. 185 + '</tr>'; 193 186 } 194 187 195 188 private function getNextYearAndMonth() {

+8 -5

src/applications/chatlog/controller/PhabricatorChatLogChannelLogController.php

··· 94 94 require_celerity_resource('phabricator-chatlog-css'); 95 95 96 96 $out = array(); 97 + $out[] = '<table class="phabricator-chat-log">'; 97 98 foreach ($blocks as $block) { 98 99 $author = $block['author']; 99 100 $author = phutil_utf8_shorten($author, 18); ··· 121 122 ), 122 123 array($author, $message, $timestamp)); 123 124 } 125 + $out[] = '</table>'; 124 126 125 127 $form = id(new AphrontFormView()) 126 128 ->setUser($user) ··· 138 140 139 141 return $this->buildStandardPageResponse( 140 142 array( 141 - hsprintf( 142 - '<div class="phabricator-chat-log-panel">%s<br />%s%s</div>', 143 - $form, 144 - phutil_tag('table', array('class' => 'phabricator-chat-log'), $out), 145 - $pager), 143 + '<div class="phabricator-chat-log-panel">', 144 + $form, 145 + '<br />', 146 + implode("\n", $out), 147 + $pager, 148 + '</div>', 146 149 ), 147 150 array( 148 151 'title' => 'Channel Log',

+2 -2

src/applications/conduit/controller/PhabricatorConduitAPIController.php

··· 346 346 if ($request) { 347 347 foreach ($request->getAllParameters() as $key => $value) { 348 348 $param_rows[] = array( 349 - $key, 349 + phutil_escape_html($key), 350 350 $this->renderAPIValue($value), 351 351 ); 352 352 } ··· 362 362 $result_rows = array(); 363 363 foreach ($result as $key => $value) { 364 364 $result_rows[] = array( 365 - $key, 365 + phutil_escape_html($key), 366 366 $this->renderAPIValue($value), 367 367 ); 368 368 }

+1 -1

src/applications/conduit/controller/PhabricatorConduitConsoleController.php

··· 109 109 ->setValue('Call Method')); 110 110 111 111 $panel = new AphrontPanelView(); 112 - $panel->setHeader('Conduit API: '.$this->method); 112 + $panel->setHeader('Conduit API: '.phutil_escape_html($this->method)); 113 113 $panel->appendChild($form); 114 114 $panel->setWidth(AphrontPanelView::WIDTH_FULL); 115 115

+2 -2

src/applications/conduit/controller/PhabricatorConduitListController.php

··· 59 59 60 60 $utils = new AphrontPanelView(); 61 61 $utils->setHeader('Utilities'); 62 - $utils->appendChild(hsprintf( 62 + $utils->appendChild( 63 63 '<ul>'. 64 64 '<li><a href="/conduit/log/">Log</a> - Conduit Method Calls</li>'. 65 65 '<li><a href="/conduit/token/">Token</a> - Certificate Install</li>'. 66 - '</ul>')); 66 + '</ul>'); 67 67 $utils->setWidth(AphrontPanelView::WIDTH_FULL); 68 68 69 69 $this->setShowSideNav(false);

+3 -3

src/applications/conduit/controller/PhabricatorConduitLogController.php

··· 65 65 } 66 66 $rows[] = array( 67 67 $call->getConnectionID(), 68 - $conn->getUserName(), 69 - $call->getMethod(), 70 - $call->getError(), 68 + phutil_escape_html($conn->getUserName()), 69 + phutil_escape_html($call->getMethod()), 70 + phutil_escape_html($call->getError()), 71 71 number_format($call->getDuration()).' us', 72 72 phabricator_datetime($call->getDateCreated(), $user), 73 73 );

+3 -2

src/applications/config/controller/PhabricatorConfigAllController.php

··· 14 14 $key = $option->getKey(); 15 15 16 16 if ($option->getMasked()) { 17 - $value = phutil_tag('em', array(), pht('Masked')); 17 + $value = '<em>'.pht('Masked').'</em>'; 18 18 } else if ($option->getHidden()) { 19 - $value = phutil_tag('em', array(), pht('Hidden')); 19 + $value = '<em>'.pht('Hidden').'</em>'; 20 20 } else { 21 21 $value = PhabricatorEnv::getEnvConfig($key); 22 22 $value = PhabricatorConfigJSON::prettyPrintJSON($value); 23 + $value = phutil_escape_html($value); 23 24 } 24 25 25 26 $rows[] = array(

+18 -17

src/applications/config/response/PhabricatorConfigResponse.php

··· 23 23 24 24 $view = $this->view->render(); 25 25 26 - return hsprintf( 27 - '<!DOCTYPE html>'. 28 - '<html>'. 29 - '<head>'. 30 - '<meta charset="UTF-8" />'. 31 - '<title>Phabricator Setup</title>'. 32 - '%s'. 33 - '</head>'. 34 - '<body class="setup-fatal">%s</body>'. 35 - '</html>', 36 - $resources, 37 - $view); 26 + $template = <<<EOTEMPLATE 27 + <!doctype html> 28 + <html> 29 + <head> 30 + <title>Phabricator Setup</title> 31 + {$resources} 32 + </head> 33 + <body class="setup-fatal"> 34 + {$view} 35 + </body> 36 + </html> 37 + EOTEMPLATE; 38 + 39 + return $template; 38 40 } 39 41 40 42 private function buildResources() { ··· 47 49 48 50 $resources = array(); 49 51 foreach ($css as $path) { 50 - $resources[] = phutil_tag( 51 - 'style', 52 - array('type' => 'text/css'), 53 - Filesystem::readFile($webroot.'/rsrc/css/'.$path)); 52 + $resources[] = '<style type="text/css">'; 53 + $resources[] = Filesystem::readFile($webroot.'/rsrc/css/'.$path); 54 + $resources[] = '</style>'; 54 55 } 55 - return phutil_implode_html("\n", $resources); 56 + return implode("\n", $resources); 56 57 } 57 58 58 59

+5 -5

src/applications/config/view/PhabricatorSetupIssueView.php

··· 44 44 ), 45 45 array( 46 46 phutil_tag('p', array(), $run_these), 47 - phutil_tag('pre', array(), phutil_implode_html("\n", $commands)), 47 + phutil_tag('pre', array(), array_interleave("\n", $commands)), 48 48 )); 49 49 } 50 50 ··· 114 114 array( 115 115 'class' => 'setup-issue', 116 116 ), 117 - $this->renderSingleView( 117 + $this->renderHTMLView( 118 118 array( 119 119 $name, 120 120 $description, ··· 155 155 '<tt>phabricator/ $</tt> ./bin/config set %s <em>value</em>', 156 156 $key); 157 157 } 158 - $update = phutil_tag('pre', array(), phutil_implode_html("\n", $update)); 158 + $update = phutil_tag('pre', array(), array_interleave("\n", $update)); 159 159 } else { 160 160 $update = array(); 161 161 foreach ($configs as $config) { ··· 187 187 array( 188 188 'class' => 'setup-issue-config', 189 189 ), 190 - self::renderSingleView( 190 + self::renderHTMLView( 191 191 array( 192 192 $table_info, 193 193 $table, ··· 293 293 array( 294 294 'class' => 'setup-issue-config', 295 295 ), 296 - $this->renderSingleView( 296 + $this->renderHTMLView( 297 297 array( 298 298 $table_info, 299 299 $table,

+2 -1

src/applications/conpherence/controller/ConpherenceController.php

··· 159 159 $item->addClass('hide-unread-count'); 160 160 } 161 161 162 - $nav->addCustomBlock($item->render()); 162 + // TODO: [HTML] Clean this up when we clean up HTML stuff in Conpherence. 163 + $nav->addCustomBlock(phutil_safe_html($item->render())); 163 164 } 164 165 if (empty($conpherences) || $read) { 165 166 $nav->addCustomBlock($this->getNoConpherencesBlock());

+5 -5

src/applications/conpherence/controller/ConpherenceViewController.php

··· 149 149 ->setMarkupEngine($engine) 150 150 ->render(); 151 151 } 152 - $transactions = phutil_implode_html(' ', $rendered_transactions); 152 + $transactions = implode(' ', $rendered_transactions); 153 153 154 154 $form = 155 155 id(new AphrontFormView()) ··· 283 283 'src' => $thumb 284 284 ), 285 285 ''), 286 - $file->getName(), 286 + phutil_escape_html($file->getName()), 287 287 ); 288 288 } 289 289 $header = id(new PhabricatorHeaderView()) ··· 292 292 ->setNoDataString(pht('No files attached to conpherence.')) 293 293 ->setHeaders(array('', pht('Name'))) 294 294 ->setColumnClasses(array('', 'wide')); 295 - return hsprintf('%s%s', $header->render(), $table->render()); 295 + return new PhutilSafeHTML($header->render() . $table->render()); 296 296 } 297 297 298 298 private function renderTaskWidgetPaneContent() { ··· 328 328 ->setColumnClasses(array('', 'wide')); 329 329 $content[] = $table->render(); 330 330 } 331 - return phutil_implode_html('', $content); 331 + return new PhutilSafeHTML(implode('', $content)); 332 332 } 333 333 334 334 private function renderCalendarWidgetPaneContent() { ··· 416 416 } 417 417 } 418 418 419 - return phutil_implode_html('', $content); 419 + return new PhutilSafeHTML(implode('', $content)); 420 420 } 421 421 422 422 private function getCalendarWidgetWeekTimestamps() {

+4 -4

src/applications/conpherence/storage/ConpherenceTransaction.php

··· 50 50 $title = pht( 51 51 '%s renamed this conpherence from "%s" to "%s".', 52 52 $this->renderHandleLink($author_phid), 53 - $old, 54 - $new); 53 + phutil_escape_html($old), 54 + phutil_escape_html($new)); 55 55 } else if ($old) { 56 56 $title = pht( 57 57 '%s deleted the conpherence name "%s".', 58 58 $this->renderHandleLink($author_phid), 59 - $old); 59 + phutil_escape_html($old)); 60 60 } else { 61 61 $title = pht( 62 62 '%s named this conpherence "%s".', 63 63 $this->renderHandleLink($author_phid), 64 - $new); 64 + phutil_escape_html($new)); 65 65 } 66 66 return $title; 67 67 case ConpherenceTransactionType::TYPE_FILES:

+1 -1

src/applications/conpherence/view/ConpherenceMenuItemView.php

··· 139 139 (int)$this->unreadCount); 140 140 } 141 141 142 - return $this->renderSingleView( 142 + return $this->renderHTMLView( 143 143 array( 144 144 $image, 145 145 $title,

+1 -1

src/applications/conpherence/view/ConpherenceTransactionView.php

··· 87 87 array( 88 88 'class' => $content_class 89 89 ), 90 - $this->renderSingleView($content)) 90 + $this->renderHTMLView($content)) 91 91 ); 92 92 93 93 return $transaction_view->render();

+1 -1

src/applications/countdown/controller/PhabricatorCountdownListController.php

··· 46 46 'Delete'); 47 47 } 48 48 $rows[] = array( 49 - $timer->getID(), 49 + phutil_escape_html($timer->getID()), 50 50 $handles[$timer->getAuthorPHID()]->renderLink(), 51 51 phutil_tag( 52 52 'a',

+2 -2

src/applications/daemon/controller/PhabricatorDaemonConsoleController.php

··· 30 30 $rows = array(); 31 31 foreach ($completed_info as $class => $info) { 32 32 $rows[] = array( 33 - $class, 33 + phutil_escape_html($class), 34 34 number_format($info['n']), 35 35 number_format((int)($info['duration'] / $info['n'])).' us', 36 36 ); ··· 127 127 $rows = array(); 128 128 foreach ($queued as $row) { 129 129 $rows[] = array( 130 - $row['taskClass'], 130 + phutil_escape_html($row['taskClass']), 131 131 number_format($row['N']), 132 132 ); 133 133 }

+15 -14

src/applications/daemon/controller/PhabricatorWorkerTaskUpdateController.php

··· 72 72 case 'retry': 73 73 if ($can_retry) { 74 74 $dialog->setTitle('Really retry task?'); 75 - $dialog->appendChild(phutil_tag('p', array(), pht( 76 - 'The task will be put back in the queue and executed again.'))); 75 + $dialog->appendChild( 76 + '<p>The task will be put back in the queue and executed '. 77 + 'again.</p>'); 77 78 $dialog->addSubmitButton('Retry Task'); 78 79 } else { 79 80 $dialog->setTitle('Can Not Retry'); 80 - $dialog->appendChild(phutil_tag('p', array(), pht( 81 - 'Only archived, unsuccessful tasks can be retried.'))); 81 + $dialog->appendChild( 82 + '<p>Only archived, unsuccessful tasks can be retried.</p>'); 82 83 } 83 84 break; 84 85 case 'cancel': 85 86 if ($can_cancel) { 86 87 $dialog->setTitle('Really cancel task?'); 87 - $dialog->appendChild(phutil_tag('p', array(), pht( 88 - 'The work this task represents will never be performed if you '. 89 - 'cancel it. Are you sure you want to cancel it?'))); 88 + $dialog->appendChild( 89 + '<p>The work this task represents will never be performed if you '. 90 + 'cancel it. Are you sure you want to cancel it?</p>'); 90 91 $dialog->addSubmitButton('Cancel Task'); 91 92 } else { 92 93 $dialog->setTitle('Can Not Cancel'); 93 - $dialog->appendChild(phutil_tag('p', array(), pht( 94 - 'Only active tasks can be cancelled.'))); 94 + $dialog->appendChild( 95 + '<p>Only active tasks can be cancelled.</p>'); 95 96 } 96 97 break; 97 98 case 'release': 98 99 if ($can_release) { 99 100 $dialog->setTitle('Really free task lease?'); 100 - $dialog->appendChild(phutil_tag('p', array(), pht( 101 - 'If the process which owns the task lease is still doing work '. 101 + $dialog->appendChild( 102 + '<p>If the process which owns the task lease is still doing work '. 102 103 'on it, the work may be performed twice. Are you sure you '. 103 - 'want to free the lease?'))); 104 + 'want to free the lease?</p>'); 104 105 $dialog->addSubmitButton('Free Lease'); 105 106 } else { 106 107 $dialog->setTitle('Can Not Free Lease'); 107 - $dialog->appendChild(phutil_tag('p', array(), pht( 108 - 'Only active, leased tasks may have their leases freed.'))); 108 + $dialog->appendChild( 109 + '<p>Only active, leased tasks may have their leases freed.</p>'); 109 110 } 110 111 break; 111 112 default:

+1 -1

src/applications/daemon/view/PhabricatorDaemonLogEventsView.php

··· 60 60 } 61 61 62 62 $row = array( 63 - $event->getLogType(), 63 + phutil_escape_html($event->getLogType()), 64 64 phabricator_date($event->getEpoch(), $this->user), 65 65 phabricator_time($event->getEpoch(), $this->user), 66 66 phutil_escape_html_newlines($message.$more),

+2 -2

src/applications/daemon/view/PhabricatorDaemonLogListView.php

··· 76 76 77 77 $rows[] = array( 78 78 $running, 79 - $log->getDaemon(), 80 - $log->getHost(), 79 + phutil_escape_html($log->getDaemon()), 80 + phutil_escape_html($log->getHost()), 81 81 $log->getPID(), 82 82 phabricator_date($epoch, $this->user), 83 83 phabricator_time($epoch, $this->user),

+4 -3

src/applications/differential/controller/DifferentialCommentSaveController.php

··· 60 60 61 61 if (strlen($comment) || $has_inlines) { 62 62 $dialog->addSubmitButton(pht('Post as Comment')); 63 - $dialog->appendChild(phutil_tag('br')); 64 - $dialog->appendChild(phutil_tag('p', array(), pht( 65 - 'Do you want to post your feedback anyway, as a normal comment?'))); 63 + $dialog->appendChild('<br />'); 64 + $dialog->appendChild( 65 + '<p>'.pht('Do you want to post your feedback anyway, as a normal '. 66 + 'comment?').'</p>'); 66 67 } 67 68 68 69 return id(new AphrontDialogResponse())->setDialog($dialog);

+6 -11

src/applications/differential/controller/DifferentialDiffViewController.php

··· 25 25 'href' => PhabricatorEnv::getURI('/D'.$diff->getRevisionID()), 26 26 ), 27 27 'D'.$diff->getRevisionID()); 28 - $top_panel->appendChild(phutil_tag( 29 - 'h1', 30 - array(), 31 - pht('This diff belongs to revision %s', $link))); 28 + $top_panel->appendChild( 29 + "<h1>".pht('This diff belongs to revision %s', $link)."</h1>"); 32 30 } else { 33 31 $action_panel = new AphrontPanelView(); 34 32 $action_panel->setHeader('Preview Diff'); 35 33 $action_panel->setWidth(AphrontPanelView::WIDTH_WIDE); 36 - $action_panel->appendChild(hsprintf( 37 - '<p class="aphront-panel-instructions">%s</p>', 38 - pht( 39 - 'Review the diff for correctness. When you are satisfied, either '. 40 - '<strong>create a new revision</strong> or <strong>update '. 41 - 'an existing revision</strong>.', 42 - hsprintf('')))); 34 + $action_panel->appendChild( 35 + '<p class="aphront-panel-instructions">'.pht('Review the diff for '. 36 + 'correctness. When you are satisfied, either <strong>create a new '. 37 + 'revision</strong> or <strong>update an existing revision</strong>.')); 43 38 44 39 // TODO: implmenent optgroup support in AphrontFormSelectControl? 45 40 $select = array();

+13 -13

src/applications/differential/controller/DifferentialRevisionViewController.php

··· 386 386 387 387 $page_pane = id(new DifferentialPrimaryPaneView()) 388 388 ->setID($pane_id) 389 - ->appendChild(array( 390 - $comment_view->render(), 391 - $diff_history->render(), 392 - $warning, 393 - $local_view->render(), 394 - $toc_view->render(), 395 - $other_view, 396 - $changeset_view->render(), 397 - )); 389 + ->appendChild( 390 + $comment_view->render(). 391 + $diff_history->render(). 392 + $warning. 393 + $local_view->render(). 394 + $toc_view->render(). 395 + $other_view. 396 + $changeset_view->render()); 398 397 if ($comment_form) { 399 398 $page_pane->appendChild($comment_form->render()); 400 399 } ··· 858 857 $handles = $this->loadViewerHandles($phids); 859 858 $view->setHandles($handles); 860 859 861 - return hsprintf( 862 - '%s<div class="differential-panel">%s</div>', 860 + return 863 861 id(new PhabricatorHeaderView()) 864 862 ->setHeader(pht('Open Revisions Affecting These Files')) 865 - ->render(), 866 - $view->render()); 863 + ->render(). 864 + '<div class="differential-panel">'. 865 + $view->render(). 866 + '</div>'; 867 867 } 868 868 869 869 /**

+1 -1

src/applications/differential/controller/DifferentialSubscribeController.php

··· 43 43 $dialog 44 44 ->setUser($user) 45 45 ->setTitle($title) 46 - ->appendChild(phutil_tag('p', array(), $prompt)) 46 + ->appendChild('<p>'.$prompt.'</p>') 47 47 ->setSubmitURI($request->getRequestURI()) 48 48 ->addSubmitButton($button) 49 49 ->addCancelButton('/D'.$revision->getID());

+1 -1

src/applications/differential/field/specification/DifferentialBlameRevisionFieldSpecification.php

··· 49 49 return null; 50 50 } 51 51 $engine = PhabricatorMarkupEngine::newDifferentialMarkupEngine(); 52 - return $engine->markupText($this->value); 52 + return phutil_safe_html($engine->markupText($this->value)); 53 53 } 54 54 55 55 public function shouldAppearOnConduitView() {

+1 -1

src/applications/differential/field/specification/DifferentialCommitsFieldSpecification.php

··· 26 26 $links[] = $this->getHandle($commit_phid)->renderLink(); 27 27 } 28 28 29 - return phutil_implode_html(phutil_tag('br'), $links); 29 + return array_interleave(phutil_tag('br'), $links); 30 30 } 31 31 32 32 private function getCommitPHIDs() {

+1 -1

src/applications/differential/field/specification/DifferentialDependenciesFieldSpecification.php

··· 26 26 $links[] = $this->getHandle($revision_phids)->renderLink(); 27 27 } 28 28 29 - return phutil_implode_html(phutil_tag('br'), $links); 29 + return array_interleave(phutil_tag('br'), $links); 30 30 } 31 31 32 32 private function getDependentRevisionPHIDs() {

+1 -1

src/applications/differential/field/specification/DifferentialDependsOnFieldSpecification.php

··· 26 26 $links[] = $this->getHandle($revision_phids)->renderLink(); 27 27 } 28 28 29 - return phutil_implode_html(phutil_tag('br'), $links); 29 + return array_interleave(phutil_tag('br'), $links); 30 30 } 31 31 32 32 private function getDependentRevisionPHIDs() {

+1 -1

src/applications/differential/field/specification/DifferentialFieldSpecification.php

··· 283 283 $links[] = $handle->renderLink(); 284 284 } 285 285 286 - return phutil_implode_html(', ', $links); 286 + return array_interleave(', ', $links); 287 287 } 288 288 289 289

+1 -1

src/applications/differential/field/specification/DifferentialManiphestTasksFieldSpecification.php

··· 29 29 $links[] = $this->getHandle($task_phid)->renderLink(); 30 30 } 31 31 32 - return phutil_implode_html(phutil_tag('br'), $links); 32 + return array_interleave(phutil_tag('br'), $links); 33 33 } 34 34 35 35 private function getManiphestTaskPHIDs() {

+5 -7

src/applications/differential/field/specification/DifferentialReviewersFieldSpecification.php

··· 143 143 if ($other_reviewers) { 144 144 $names = array(); 145 145 foreach ($other_reviewers as $reviewer => $_) { 146 - $names[] = $this->getHandle($reviewer)->getLinkName(); 146 + $names[] = phutil_escape_html( 147 + $this->getHandle($reviewer)->getLinkName()); 147 148 } 148 - $suffix = javelin_tag( 149 + $suffix = ' '.javelin_tag( 149 150 'abbr', 150 151 array( 151 152 'sigil' => 'has-tooltip', ··· 158 159 } else { 159 160 $suffix = null; 160 161 } 161 - return hsprintf( 162 - '%s %s', 163 - $this->getHandle($primary_reviewer)->renderLink(), 164 - $suffix); 162 + return $this->getHandle($primary_reviewer)->renderLink().$suffix; 165 163 } else { 166 - return phutil_tag('em', array(), 'None'); 164 + return '<em>None</em>'; 167 165 } 168 166 } 169 167

+1 -1

src/applications/differential/field/specification/DifferentialUnitFieldSpecification.php

··· 113 113 $userdata = idx($test, 'userdata'); 114 114 if ($userdata) { 115 115 $engine = PhabricatorMarkupEngine::newDifferentialMarkupEngine(); 116 - $userdata = $engine->markupText($userdata); 116 + $userdata = phutil_safe_html($engine->markupText($userdata)); 117 117 $rows[] = array( 118 118 'style' => 'details', 119 119 'value' => $userdata,

+1 -1

src/applications/differential/parser/DifferentialChangesetParser.php

··· 1092 1092 * indicator of how well tested a change is. 1093 1093 */ 1094 1094 public function renderModifiedCoverage() { 1095 - $na = phutil_tag('em', array(), '-'); 1095 + $na = '<em>-</em>'; 1096 1096 1097 1097 $coverage = $this->getCoverage(); 1098 1098 if (!$coverage) {

+28 -44

src/applications/differential/render/DifferentialChangesetHTMLRenderer.php

··· 21 21 return null; 22 22 } 23 23 } else { 24 - $none = $none; 25 24 switch ($change) { 26 25 27 26 case DifferentialChangeType::TYPE_ADD: 28 27 switch ($file) { 29 28 case DifferentialChangeType::FILE_TEXT: 30 - $message = pht('This file was <strong>added</strong>.', $none); 29 + $message = pht('This file was <strong>added</strong>.'); 31 30 break; 32 31 case DifferentialChangeType::FILE_IMAGE: 33 - $message = pht('This image was <strong>added</strong>.', $none); 32 + $message = pht('This image was <strong>added</strong>.'); 34 33 break; 35 34 case DifferentialChangeType::FILE_DIRECTORY: 36 - $message = pht( 37 - 'This directory was <strong>added</strong>.', 38 - $none); 35 + $message = pht('This directory was <strong>added</strong>.'); 39 36 break; 40 37 case DifferentialChangeType::FILE_BINARY: 41 - $message = pht( 42 - 'This binary file was <strong>added</strong>.', 43 - $none); 38 + $message = pht('This binary file was <strong>added</strong>.'); 44 39 break; 45 40 case DifferentialChangeType::FILE_SYMLINK: 46 - $message = pht('This symlink was <strong>added</strong>.', $none); 41 + $message = pht('This symlink was <strong>added</strong>.'); 47 42 break; 48 43 case DifferentialChangeType::FILE_SUBMODULE: 49 - $message = pht( 50 - 'This submodule was <strong>added</strong>.', 51 - $none); 44 + $message = pht('This submodule was <strong>added</strong>.'); 52 45 break; 53 46 } 54 47 break; ··· 56 49 case DifferentialChangeType::TYPE_DELETE: 57 50 switch ($file) { 58 51 case DifferentialChangeType::FILE_TEXT: 59 - $message = pht('This file was <strong>deleted</strong>.', $none); 52 + $message = pht('This file was <strong>deleted</strong>.'); 60 53 break; 61 54 case DifferentialChangeType::FILE_IMAGE: 62 - $message = pht('This image was <strong>deleted</strong>.', $none); 55 + $message = pht('This image was <strong>deleted</strong>.'); 63 56 break; 64 57 case DifferentialChangeType::FILE_DIRECTORY: 65 - $message = pht( 66 - 'This directory was <strong>deleted</strong>.', 67 - $none); 58 + $message = pht('This directory was <strong>deleted</strong>.'); 68 59 break; 69 60 case DifferentialChangeType::FILE_BINARY: 70 - $message = pht( 71 - 'This binary file was <strong>deleted</strong>.', 72 - $none); 61 + $message = pht('This binary file was <strong>deleted</strong>.'); 73 62 break; 74 63 case DifferentialChangeType::FILE_SYMLINK: 75 - $message = pht( 76 - 'This symlink was <strong>deleted</strong>.', 77 - $none); 64 + $message = pht('This symlink was <strong>deleted</strong>.'); 78 65 break; 79 66 case DifferentialChangeType::FILE_SUBMODULE: 80 - $message = pht( 81 - 'This submodule was <strong>deleted</strong>.', 82 - $none); 67 + $message = pht('This submodule was <strong>deleted</strong>.'); 83 68 break; 84 69 } 85 70 break; ··· 250 235 } 251 236 } 252 237 253 - return hsprintf( 254 - '<div class="differential-meta-notice">%s</div>', 255 - $message); 238 + return 239 + '<div class="differential-meta-notice">'. 240 + $message. 241 + '</div>'; 256 242 } 257 243 258 244 protected function renderPropertyChangeHeader() { ··· 293 279 } 294 280 } 295 281 296 - array_unshift($rows, hsprintf( 297 - '<tr class="property-table-header">'. 298 - '<th>%s</th>'. 299 - '<td class="oval">%s</td>'. 300 - '<td class="nval">%s</td>'. 301 - '</tr>', 302 - pht('Property Changes'), 303 - pht('Old Value'), 304 - pht('New Value'))); 305 - 306 - return phutil_tag( 307 - 'table', 308 - array('class' => 'differential-property-table'), 309 - $rows); 282 + return 283 + '<table class="differential-property-table">'. 284 + '<tr class="property-table-header">'. 285 + '<th>'.pht('Property Changes').'</th>'. 286 + '<td class="oval">'.pht('Old Value').'</td>'. 287 + '<td class="nval">'.pht('New Value').'</td>'. 288 + '</tr>'. 289 + implode('', $rows). 290 + '</table>'; 310 291 } 311 292 312 293 public function renderShield($message, $force = 'default') { ··· 370 351 if (!$content) { 371 352 return null; 372 353 } 354 + 355 + // TODO: [HTML] After TwoUpRenderer gets refactored, fix this. 356 + $content = phutil_safe_html($content); 373 357 374 358 return javelin_tag( 375 359 'table',

+14 -14

src/applications/differential/render/DifferentialChangesetOneUpRenderer.php

··· 20 20 switch ($type) { 21 21 case 'old': 22 22 case 'new': 23 - $out[] = hsprintf('<tr>'); 23 + $out[] = '<tr>'; 24 24 if ($type == 'old') { 25 25 if ($p['htype']) { 26 26 $class = 'left old'; 27 27 } else { 28 28 $class = 'left'; 29 29 } 30 - $out[] = hsprintf('<th>%s</th>', $p['line']); 31 - $out[] = hsprintf('<th></th>'); 32 - $out[] = hsprintf('<td class="%s">%s</td>', $class, $p['render']); 30 + $out[] = '<th>'.$p['line'].'</th>'; 31 + $out[] = '<th></th>'; 32 + $out[] = '<td class="'.$class.'">'.$p['render'].'</td>'; 33 33 } else if ($type == 'new') { 34 34 if ($p['htype']) { 35 35 $class = 'right new'; 36 - $out[] = hsprintf('<th />'); 36 + $out[] = '<th />'; 37 37 } else { 38 38 $class = 'right'; 39 - $out[] = hsprintf('<th>%s</th>', $p['oline']); 39 + $out[] = '<th>'.$p['oline'].'</th>'; 40 40 } 41 - $out[] = hsprintf('<th>%s</th>', $p['line']); 42 - $out[] = hsprintf('<td class="%s">%s</td>', $class, $p['render']); 41 + $out[] = '<th>'.$p['line'].'</th>'; 42 + $out[] = '<td class="'.$class.'">'.$p['render'].'</td>'; 43 43 } 44 - $out[] = hsprintf('</tr>'); 44 + $out[] = '</tr>'; 45 45 break; 46 46 case 'inline': 47 - $out[] = hsprintf('<tr><th /><th />'); 48 - $out[] = hsprintf('<td>'); 47 + $out[] = '<tr><th /><th />'; 48 + $out[] = '<td>'; 49 49 50 50 $inline = $this->buildInlineComment( 51 51 $p['comment'], ··· 53 53 $inline->setBuildScaffolding(false); 54 54 $out[] = $inline->render(); 55 55 56 - $out[] = hsprintf('</td></tr>'); 56 + $out[] = '</td></tr>'; 57 57 break; 58 58 default: 59 - $out[] = hsprintf('<tr><th /><th /><td>%s</td></tr>', $type); 59 + $out[] = '<tr><th /><th /><td>'.$type.'</td></tr>'; 60 60 break; 61 61 } 62 62 } 63 63 64 64 if ($out) { 65 - return $this->wrapChangeInTable(phutil_implode_html('', $out)); 65 + return $this->wrapChangeInTable(implode('', $out)); 66 66 } 67 67 return null; 68 68 }

+35 -47

src/applications/differential/render/DifferentialChangesetTwoUpRenderer.php

··· 160 160 'colspan' => 2, 161 161 'class' => 'show-more', 162 162 ), 163 - phutil_implode_html( 163 + array_interleave( 164 164 " \xE2\x80\xA2 ", // Bullet 165 165 $contents)), 166 166 phutil_tag( ··· 205 205 } 206 206 } 207 207 208 - $n_copy = hsprintf('<td class="copy" />'); 208 + $n_copy = '<td class="copy" />'; 209 209 $n_cov = null; 210 210 $n_colspan = 2; 211 211 $n_classes = ''; ··· 224 224 $cov_class = $coverage[$n_num - 1]; 225 225 } 226 226 $cov_class = 'cov-'.$cov_class; 227 - $n_cov = hsprintf('<td class="cov %s"></td>', $cov_class); 227 + $n_cov = '<td class="cov '.$cov_class.'"></td>'; 228 228 $n_colspan--; 229 229 } 230 230 ··· 242 242 $n_classes = $n_class; 243 243 244 244 if ($new_lines[$ii]['type'] == '\\' || !isset($copy_lines[$n_num])) { 245 - $n_copy = hsprintf('<td class="copy %s"></td>', $n_class); 245 + $n_copy = '<td class="copy '.$n_class.'"></td>'; 246 246 } else { 247 247 list($orig_file, $orig_line, $orig_type) = $copy_lines[$n_num]; 248 248 $title = ($orig_type == '-' ? 'Moved' : 'Copied').' from '; ··· 274 274 } 275 275 276 276 if ($o_num && $left_id) { 277 - $o_id = 'C'.$left_id.$left_char.'L'.$o_num; 277 + $o_id = ' id="C'.$left_id.$left_char.'L'.$o_num.'"'; 278 278 } else { 279 279 $o_id = null; 280 280 } 281 281 282 282 if ($n_num && $right_id) { 283 - $n_id = 'C'.$right_id.$right_char.'L'.$n_num; 283 + $n_id = ' id="C'.$right_id.$right_char.'L'.$n_num.'"'; 284 284 } else { 285 285 $n_id = null; 286 286 } ··· 288 288 // NOTE: The Javascript is sensitive to whitespace changes in this 289 289 // block! 290 290 291 - $html[] = hsprintf( 291 + $html[] = 292 292 '<tr>'. 293 - '%s'. 294 - '<td class="%s">%s</td>'. 295 - '%s'. 296 - '%s'. 293 + '<th'.$o_id.'>'.$o_num.'</th>'. 294 + '<td class="'.$o_classes.'">'.$o_text.'</td>'. 295 + '<th'.$n_id.'>'.$n_num.'</th>'. 296 + $n_copy. 297 297 // NOTE: This is a unicode zero-width space, which we use as a hint 298 298 // when intercepting 'copy' events to make sure sensible text ends 299 299 // up on the clipboard. See the 'phabricator-oncopy' behavior. 300 - '<td class="%s" colspan="%s">'. 301 - "\xE2\x80\x8B%s". 300 + '<td class="'.$n_classes.'" colspan="'.$n_colspan.'">'. 301 + "\xE2\x80\x8B".$n_text. 302 302 '</td>'. 303 - '%s'. 304 - '</tr>', 305 - phutil_tag('th', array('id' => $o_id), $o_num), 306 - $o_classes, $o_text, 307 - phutil_tag('th', array('id' => $n_id), $n_num), 308 - $n_copy, 309 - $n_classes, $n_colspan, $n_text, 310 - $n_cov); 303 + $n_cov. 304 + '</tr>'; 311 305 312 306 if ($context_not_available && ($ii == $rows - 1)) { 313 307 $html[] = $context_not_available; ··· 357 351 } 358 352 } 359 353 360 - return $this->wrapChangeInTable(phutil_implode_html('', $html)); 354 + return $this->wrapChangeInTable(implode('', $html)); 361 355 } 362 356 363 357 public function renderFileChange($old_file = null, ··· 401 395 foreach ($this->getOldComments() as $on_line => $comment_group) { 402 396 foreach ($comment_group as $comment) { 403 397 $comment_html = $this->renderInlineComment($comment, $on_right = false); 404 - $html_old[] = hsprintf( 398 + $html_old[] = 405 399 '<tr class="inline">'. 406 400 '<th />'. 407 - '<td class="left">%s</td>'. 401 + '<td class="left">'.$comment_html.'</td>'. 408 402 '<th />'. 409 403 '<td class="right3" colspan="3" />'. 410 - '</tr>', 411 - $comment_html); 404 + '</tr>'; 412 405 } 413 406 } 414 407 foreach ($this->getNewComments() as $lin_line => $comment_group) { 415 408 foreach ($comment_group as $comment) { 416 409 $comment_html = $this->renderInlineComment($comment, $on_right = true); 417 - $html_new[] = hsprintf( 410 + $html_new[] = 418 411 '<tr class="inline">'. 419 412 '<th />'. 420 413 '<td class="left" />'. 421 414 '<th />'. 422 - '<td class="right3" colspan="3">%s</td>'. 423 - '</tr>', 424 - $comment_html); 415 + '<td class="right3" colspan="3">'.$comment_html.'</td>'. 416 + '</tr>'; 425 417 } 426 418 } 427 419 428 420 if (!$old) { 429 - $th_old = hsprintf('<th></th>'); 421 + $th_old = '<th></th>'; 430 422 } else { 431 - $th_old = hsprintf('<th id="C%sOL1">1</th>', $vs); 423 + $th_old = '<th id="C'.$vs.'OL1">1</th>'; 432 424 } 433 425 434 426 if (!$new) { 435 - $th_new = hsprintf('<th></th>'); 427 + $th_new = '<th></th>'; 436 428 } else { 437 - $th_new = hsprintf('<th id="C%sNL1">1</th>', $id); 429 + $th_new = '<th id="C'.$id.'NL1">1</th>'; 438 430 } 439 431 440 - $output = hsprintf( 432 + $output = 441 433 '<tr class="differential-image-diff">'. 442 - '%s'. 443 - '<td class="left differential-old-image">%s</td>'. 444 - '%s'. 445 - '<td class="right3 differential-new-image" colspan="3">%s</td>'. 434 + $th_old. 435 + '<td class="left differential-old-image">'.$old.'</td>'. 436 + $th_new. 437 + '<td class="right3 differential-new-image" colspan="3">'. 438 + $new. 439 + '</td>'. 446 440 '</tr>'. 447 - '%s'. 448 - '%s', 449 - $th_old, 450 - $old, 451 - $th_new, 452 - $new, 453 - phutil_implode_html('', $html_old), 454 - phutil_implode_html('', $html_new)); 441 + implode('', $html_old). 442 + implode('', $html_new); 455 443 456 444 $output = $this->wrapChangeInTable($output); 457 445

+15 -15

src/applications/differential/view/DifferentialAddCommentView.php

··· 155 155 'inline' => 'inline-comment-preview', 156 156 )); 157 157 158 - $warning_container = array(); 158 + $warning_container = '<div id="warnings">'; 159 159 foreach ($warnings as $warning) { 160 160 if ($warning) { 161 - $warning_container[] = $warning->render(); 161 + $warning_container .= $warning->render(); 162 162 } 163 163 } 164 + $warning_container .= '</div>'; 164 165 165 166 $header = id(new PhabricatorHeaderView()) 166 167 ->setHeader($is_serious ? pht('Add Comment') : pht('Leap Into Action')); 167 168 168 - return hsprintf( 169 - '%s'. 169 + return 170 + id(new PhabricatorAnchorView()) 171 + ->setAnchorName('comment') 172 + ->setNavigationMarker(true) 173 + ->render(). 170 174 '<div class="differential-add-comment-panel">'. 171 - '%s%s%s'. 175 + $header->render(). 176 + $form->render(). 177 + $warning_container. 172 178 '<div class="aphront-panel-preview aphront-panel-flush">'. 173 179 '<div id="comment-preview">'. 174 - '<span class="aphront-panel-preview-loading-text">%s</span>'. 180 + '<span class="aphront-panel-preview-loading-text">'. 181 + pht('Loading comment preview...'). 182 + '</span>'. 175 183 '</div>'. 176 184 '<div id="inline-comment-preview">'. 177 185 '</div>'. 178 186 '</div>'. 179 - '</div>', 180 - id(new PhabricatorAnchorView()) 181 - ->setAnchorName('comment') 182 - ->setNavigationMarker(true) 183 - ->render(), 184 - $header->render(), 185 - $form->render(), 186 - phutil_tag('div', array('id' => 'warnings'), $warning_container), 187 - pht('Loading comment preview...')); 187 + '</div>'; 188 188 } 189 189 }

+2 -2

src/applications/differential/view/DifferentialChangesetDetailView.php

··· 92 92 'class' => $class, 93 93 'id' => $id, 94 94 ), 95 - $this->renderSingleView( 95 + $this->renderHTMLView( 96 96 array( 97 97 id(new PhabricatorAnchorView()) 98 98 ->setAnchorName($changeset->getAnchorName()) ··· 101 101 $buttons, 102 102 phutil_tag('h1', array(), $display_filename), 103 103 phutil_tag('div', array('style' => 'clear: both'), ''), 104 - $this->renderChildren(), 104 + $this->renderHTMLChildren(), 105 105 ))); 106 106 } 107 107

+9 -14

src/applications/differential/view/DifferentialChangesetListView.php

··· 187 187 )); 188 188 } 189 189 190 - return $this->renderSingleView( 190 + return $this->renderHTMLView( 191 191 array( 192 192 id(new PhabricatorHeaderView()) 193 193 ->setHeader($this->getTitle()) ··· 221 221 ), 222 222 array('Changes discarded. ', $link)); 223 223 224 + $template = 225 + '<table><tr>'. 226 + '<th></th><td>%s</td>'. 227 + '<th></th><td colspan="3">%s</td>'. 228 + '</tr></table>'; 229 + 224 230 return array( 225 - 'l' => hsprintf( 226 - '<table><tr>'. 227 - '<th></th><td>%s</td>'. 228 - '<th></th><td colspan="3"></td>'. 229 - '</tr></table>', 230 - $div), 231 - 232 - 'r' => hsprintf( 233 - '<table><tr>'. 234 - '<th></th><td></td>'. 235 - '<th></th><td colspan="3">%s</td>'. 236 - '</tr></table>', 237 - $div), 231 + 'l' => sprintf($template, $div, ''), 232 + 'r' => sprintf($template, '', $div), 238 233 ); 239 234 } 240 235

+49 -48

src/applications/differential/view/DifferentialDiffTableOfContentsView.php

··· 94 94 $meta[] = pht('Copied to multiple locations:'); 95 95 } 96 96 foreach ($away as $path) { 97 - $meta[] = $path; 97 + $meta[] = phutil_escape_html($path); 98 98 } 99 - $meta = phutil_implode_html(phutil_tag('br'), $meta); 99 + $meta = implode('<br />', $meta); 100 100 } else { 101 101 if ($type == DifferentialChangeType::TYPE_MOVE_AWAY) { 102 - $meta = pht('Moved to %s', reset($away)); 102 + $meta = pht('Moved to %s', phutil_escape_html(reset($away))); 103 103 } else { 104 - $meta = pht('Copied to %s', reset($away)); 104 + $meta = pht('Copied to %s', phutil_escape_html(reset($away))); 105 105 } 106 106 } 107 107 } else if ($type == DifferentialChangeType::TYPE_MOVE_HERE) { 108 - $meta = pht('Moved from %s', $changeset->getOldFile()); 108 + $meta = pht('Moved from %s', 109 + phutil_escape_html($changeset->getOldFile())); 109 110 } else if ($type == DifferentialChangeType::TYPE_COPY_HERE) { 110 - $meta = pht('Copied from %s', $changeset->getOldFile()); 111 + $meta = pht('Copied from %s', 112 + phutil_escape_html($changeset->getOldFile())); 111 113 } else { 112 114 $meta = null; 113 115 } ··· 128 130 $pchar = 129 131 ($changeset->getOldProperties() === $changeset->getNewProperties()) 130 132 ? null 131 - : hsprintf('<span title="%s">M</span>', pht('Properties Changed')); 133 + : '<span title="'.pht('Properties Changed').'">M</span>'; 132 134 133 135 $fname = $changeset->getFilename(); 134 136 $cov = $this->renderCoverage($coverage, $fname); 135 137 if ($cov === null) { 136 - $mcov = $cov = phutil_tag('em', array(), '-'); 138 + $mcov = $cov = '<em>-</em>'; 137 139 } else { 138 140 $mcov = phutil_tag( 139 141 'div', ··· 144 146 (isset($this->visibleChangesets[$id]) ? 'Loading...' : '?')); 145 147 } 146 148 147 - $rows[] = hsprintf( 148 - '<tr>'. 149 - '<td class="differential-toc-char" title="%s">%s</td>'. 150 - '<td class="differential-toc-prop">%s</td>'. 151 - '<td class="differential-toc-ftype">%s</td>'. 152 - '<td class="differential-toc-file">%s%s</td>'. 153 - '<td class="differential-toc-cov">%s</td>'. 154 - '<td class="differential-toc-mcov">%s</td>'. 155 - '</tr>', 156 - $chartitle, $char, 157 - $pchar, 158 - $desc, 159 - $link, $lines, 160 - $cov, 161 - $mcov); 149 + $rows[] = 150 + '<tr>'. 151 + phutil_tag( 152 + 'td', 153 + array( 154 + 'class' => 'differential-toc-char', 155 + 'title' => $chartitle, 156 + ), 157 + $char). 158 + '<td class="differential-toc-prop">'.$pchar.'</td>'. 159 + '<td class="differential-toc-ftype">'.$desc.'</td>'. 160 + '<td class="differential-toc-file">'.$link.$lines.'</td>'. 161 + '<td class="differential-toc-cov">'.$cov.'</td>'. 162 + '<td class="differential-toc-mcov">'.$mcov.'</td>'. 163 + '</tr>'; 162 164 if ($meta) { 163 - $rows[] = hsprintf( 165 + $rows[] = 164 166 '<tr>'. 165 167 '<td colspan="3"></td>'. 166 - '<td class="differential-toc-meta">%s</td>'. 167 - '</tr>', 168 - $meta); 168 + '<td class="differential-toc-meta">'.$meta.'</td>'. 169 + '</tr>'; 169 170 } 170 171 if ($this->diff && $this->repository) { 171 172 $paths[] = ··· 200 201 ), 201 202 pht('Show All Context')); 202 203 203 - $buttons = hsprintf( 204 - '<tr><td colspan="7">%s%s</td></tr>', 205 - $editor_link, 206 - $reveal_link); 204 + $buttons = 205 + '<tr><td colspan="7">'. 206 + $editor_link.$reveal_link. 207 + '</td></tr>'; 207 208 208 - return hsprintf( 209 - '%s%s'. 209 + return 210 + id(new PhabricatorAnchorView()) 211 + ->setAnchorName('toc') 212 + ->setNavigationMarker(true) 213 + ->render(). 214 + id(new PhabricatorHeaderView()) 215 + ->setHeader(pht('Table of Contents')) 216 + ->render(). 210 217 '<div class="differential-toc differential-panel">'. 211 218 '<table>'. 212 219 '<tr>'. ··· 214 221 '<th></th>'. 215 222 '<th></th>'. 216 223 '<th>Path</th>'. 217 - '<th class="differential-toc-cov">%s</th>'. 218 - '<th class="differential-toc-mcov">%s</th>'. 224 + '<th class="differential-toc-cov">'. 225 + pht('Coverage (All)'). 226 + '</th>'. 227 + '<th class="differential-toc-mcov">'. 228 + pht('Coverage (Touched)'). 229 + '</th>'. 219 230 '</tr>'. 220 - '%s%s'. 231 + implode("\n", $rows). 232 + $buttons. 221 233 '</table>'. 222 - '</div>', 223 - id(new PhabricatorAnchorView()) 224 - ->setAnchorName('toc') 225 - ->setNavigationMarker(true) 226 - ->render(), 227 - id(new PhabricatorHeaderView()) 228 - ->setHeader(pht('Table of Contents')) 229 - ->render(), 230 - pht('Coverage (All)'), 231 - pht('Coverage (Touched)'), 232 - phutil_implode_html("\n", $rows), 233 - $buttons); 234 + '</div>'; 234 235 } 235 236 236 237 private function renderCoverage(array $coverage, $file) {

+4 -4

src/applications/differential/view/DifferentialInlineCommentEditView.php

··· 55 55 'method' => 'POST', 56 56 'sigil' => 'inline-edit-form', 57 57 ), 58 - $this->renderSingleView( 58 + $this->renderHTMLView( 59 59 array( 60 60 $this->renderInputs(), 61 61 $this->renderBody(), ··· 123 123 array( 124 124 'class' => 'differential-inline-comment-edit-body', 125 125 ), 126 - $this->renderChildren()); 126 + $this->renderHTMLChildren()); 127 127 128 128 $edit = phutil_tag( 129 129 'edit', 130 130 array( 131 131 'class' => 'differential-inline-comment-edit-buttons', 132 132 ), 133 - $this->renderSingleView( 133 + $this->renderHTMLView( 134 134 array( 135 135 $formatting, 136 136 $buttons, ··· 148 148 'length' => $this->length, 149 149 ), 150 150 ), 151 - $this->renderSingleView( 151 + $this->renderHTMLView( 152 152 array( 153 153 $title, 154 154 $body,

+1 -1

src/applications/differential/view/DifferentialInlineCommentView.php

··· 178 178 $links = phutil_tag( 179 179 'span', 180 180 array('class' => 'differential-inline-comment-links'), 181 - phutil_implode_html(" \xC2\xB7 ", $links)); 181 + array_interleave(" \xC2\xB7 ", $links)); 182 182 } else { 183 183 $links = null; 184 184 }

+18 -20

src/applications/differential/view/DifferentialLocalCommitsView.php

··· 74 74 } 75 75 $parents[$k] = substr($parent, 0, 16); 76 76 } 77 - $parents = phutil_implode_html(phutil_tag('br'), $parents); 77 + $parents = array_interleave(phutil_tag('br'), $parents); 78 78 $row[] = phutil_tag('td', array(), $parents); 79 79 80 80 $author = nonempty( ··· 114 114 115 115 116 116 $headers = array(); 117 - $headers[] = phutil_tag('th', array(), pht('Commit')); 117 + $headers[] = '<th>'.pht('Commit').'</th>'; 118 118 if ($has_tree) { 119 - $headers[] = phutil_tag('th', array(), pht('Tree')); 119 + $headers[] = '<th>'.pht('Tree').'</th>'; 120 120 } 121 121 if ($has_local) { 122 - $headers[] = phutil_tag('th', array(), pht('Local')); 122 + $headers[] = '<th>'.pht('Local').'</th>'; 123 123 } 124 - $headers[] = phutil_tag('th', array(), pht('Parents')); 125 - $headers[] = phutil_tag('th', array(), pht('Author')); 126 - $headers[] = phutil_tag('th', array(), pht('Summary')); 127 - $headers[] = phutil_tag('th', array(), pht('Date')); 124 + $headers[] = '<th>'.pht('Parents').'</th>'; 125 + $headers[] = '<th>'.pht('Author').'</th>'; 126 + $headers[] = '<th>'.pht('Summary').'</th>'; 127 + $headers[] = '<th>'.pht('Date').'</th>'; 128 128 129 - $headers = phutil_tag('tr', array(), $headers); 130 - 131 - $header = id(new PhabricatorHeaderView()) 132 - ->setHeader(pht('Local Commits')) 133 - ->render(); 129 + $headers = '<tr>'.implode('', $headers).'</tr>'; 134 130 135 - return hsprintf( 136 - '%s'. 131 + return 132 + id(new PhabricatorHeaderView()) 133 + ->setHeader(pht('Local Commits')) 134 + ->render(). 137 135 '<div class="differential-panel">'. 138 - '<table class="differential-local-commits-table">%s%s</table>'. 139 - '</div>', 140 - $header, 141 - $headers, 142 - phutil_implode_html("\n", $rows)); 136 + '<table class="differential-local-commits-table">'. 137 + $headers. 138 + implode("\n", $rows). 139 + '</table>'. 140 + '</div>'; 143 141 } 144 142 }

+1 -1

src/applications/differential/view/DifferentialPrimaryPaneView.php

··· 11 11 12 12 public function render() { 13 13 14 - return phutil_tag( 14 + return phutil_render_tag( 15 15 'div', 16 16 array( 17 17 'class' => 'differential-primary-pane',

+4 -2

src/applications/differential/view/DifferentialRevisionCommentListView.php

··· 187 187 $hidden = null; 188 188 } 189 189 190 - return javelin_tag( 190 + return javelin_render_tag( 191 191 'div', 192 192 array( 193 193 'class' => 'differential-comment-list', 194 194 'id' => $this->getID(), 195 195 ), 196 - array_merge($header, array($hidden), $visible)); 196 + implode("\n", $header). 197 + $hidden. 198 + implode("\n", $visible)); 197 199 } 198 200 }

+25 -41

src/applications/differential/view/DifferentialRevisionCommentView.php

··· 87 87 $comment, 88 88 PhabricatorInlineCommentInterface::MARKUP_FIELD_BODY); 89 89 90 - $content = hsprintf( 91 - '<div class="phabricator-remarkup">%s</div>', 92 - $content); 90 + $content = 91 + '<div class="phabricator-remarkup">'. 92 + $content. 93 + '</div>'; 93 94 } 94 95 95 96 $inline_render = $this->renderInlineComments(); ··· 115 116 array()); 116 117 117 118 $verb = DifferentialAction::getActionPastTenseVerb($comment->getAction()); 119 + $verb = phutil_escape_html($verb); 118 120 119 121 $actions = array(); 120 122 // TODO: i18n 121 123 switch ($comment->getAction()) { 122 124 case DifferentialAction::ACTION_ADDCCS: 123 - $actions[] = hsprintf( 124 - "%s added CCs: %s.", 125 - $author_link, 126 - $this->renderHandleList($added_ccs)); 125 + $actions[] = "{$author_link} added CCs: ". 126 + $this->renderHandleList($added_ccs)."."; 127 127 $added_ccs = null; 128 128 break; 129 129 case DifferentialAction::ACTION_ADDREVIEWERS: 130 - $actions[] = hsprintf( 131 - "%s added reviewers: %s.", 132 - $author_link, 133 - $this->renderHandleList($added_reviewers)); 130 + $actions[] = "{$author_link} added reviewers: ". 131 + $this->renderHandleList($added_reviewers)."."; 134 132 $added_reviewers = null; 135 133 break; 136 134 case DifferentialAction::ACTION_UPDATE: ··· 142 140 'href' => '/D'.$comment->getRevisionID().'?id='.$diff_id, 143 141 ), 144 142 'Diff #'.$diff_id); 145 - $actions[] = hsprintf( 146 - "%s updated this revision to %s.", 147 - $author_link, 148 - $diff_link); 143 + $actions[] = "{$author_link} updated this revision to {$diff_link}."; 149 144 } else { 150 - $actions[] = hsprintf( 151 - "%s %s this revision.", 152 - $author_link, 153 - $verb); 145 + $actions[] = "{$author_link} {$verb} this revision."; 154 146 } 155 147 break; 156 148 default: 157 - $actions[] = hsprintf( 158 - "%s %s this revision.", 159 - $author_link, 160 - $verb); 149 + $actions[] = "{$author_link} {$verb} this revision."; 161 150 break; 162 151 } 163 152 164 153 if ($added_reviewers) { 165 - $actions[] = hsprintf( 166 - "%s added reviewers: %s.", 167 - $author_link, 168 - $this->renderHandleList($added_reviewers)); 154 + $actions[] = "{$author_link} added reviewers: ". 155 + $this->renderHandleList($added_reviewers)."."; 169 156 } 170 157 171 158 if ($removed_reviewers) { 172 - $actions[] = hsprintf( 173 - "%s removed reviewers: %s.", 174 - $author_link, 175 - $this->renderHandleList($removed_reviewers)); 159 + $actions[] = "{$author_link} removed reviewers: ". 160 + $this->renderHandleList($removed_reviewers)."."; 176 161 } 177 162 178 163 if ($added_ccs) { 179 - $actions[] = hsprintf( 180 - "%s added CCs: %s.", 181 - $author_link, 182 - $this->renderHandleList($added_ccs)); 164 + $actions[] = "{$author_link} added CCs: ". 165 + $this->renderHandleList($added_ccs)."."; 183 166 } 184 167 185 168 foreach ($actions as $key => $action) { 186 - $actions[$key] = phutil_tag('div', array(), $action); 169 + $actions[$key] = '<div>'.$action.'</div>'; 187 170 } 188 171 189 172 $xaction_view = id(new PhabricatorTransactionView()) ··· 207 190 } 208 191 209 192 if (!$hide_comments) { 210 - $xaction_view->appendChild(hsprintf( 211 - '<div class="differential-comment-core">%s%s</div>', 212 - $content, 213 - $this->renderSingleView($inline_render))); 193 + $xaction_view->appendChild( 194 + '<div class="differential-comment-core">'. 195 + $content. 196 + '</div>'. 197 + $this->renderSingleView($inline_render)); 214 198 } 215 199 216 200 return $xaction_view->render(); ··· 221 205 foreach ($phids as $phid) { 222 206 $result[] = $this->handles[$phid]->renderLink(); 223 207 } 224 - return phutil_implode_html(', ', $result); 208 + return implode(', ', $result); 225 209 } 226 210 227 211 private function renderInlineComments() {

+1 -5

src/applications/differential/view/DifferentialRevisionDetailView.php

··· 87 87 } 88 88 $properties->setHasKeyboardShortcuts(true); 89 89 90 - return hsprintf( 91 - '%s%s%s', 92 - $header->render(), 93 - $actions->render(), 94 - $properties->render()); 90 + return $header->render() . $actions->render() . $properties->render(); 95 91 } 96 92 97 93 private function renderHeader(DifferentialRevision $revision) {

+12 -12

src/applications/differential/view/DifferentialRevisionListView.php

··· 128 128 129 129 } else if (array_key_exists($revision->getID(), $this->drafts)) { 130 130 $src = '/rsrc/image/icon/fatcow/page_white_edit.png'; 131 - $flag = hsprintf( 132 - '<a href="%s">%s</a>', 133 - '/D'.$revision->getID().'#comment-preview', 134 - phutil_tag( 135 - 'img', 136 - array( 137 - 'src' => celerity_get_resource_uri($src), 138 - 'width' => 16, 139 - 'height' => 16, 140 - 'alt' => 'Draft', 141 - 'title' => pht('Draft Comment'), 142 - ))); 131 + $flag = 132 + '<a href="/D'.$revision->getID().'#comment-preview">'. 133 + phutil_tag( 134 + 'img', 135 + array( 136 + 'src' => celerity_get_resource_uri($src), 137 + 'width' => 16, 138 + 'height' => 16, 139 + 'alt' => 'Draft', 140 + 'title' => pht('Draft Comment'), 141 + )). 142 + '</a>'; 143 143 } 144 144 145 145 $row = array($flag);

+20 -24

src/applications/differential/view/DifferentialRevisionUpdateHistoryView.php

··· 177 177 DifferentialChangesetParser::WHITESPACE_SHOW_ALL => 'Show All', 178 178 ); 179 179 180 + $select = '<select name="whitespace">'; 180 181 foreach ($options as $value => $label) { 181 - $options[$value] = phutil_tag( 182 + $select .= phutil_tag( 182 183 'option', 183 184 array( 184 185 'value' => $value, ··· 188 189 ), 189 190 $label); 190 191 } 191 - $select = phutil_tag('select', array('name' => 'whitespace'), $options); 192 - 193 - array_unshift($rows, phutil_tag('tr', array(), array( 194 - phutil_tag('th', array(), pht('Diff')), 195 - phutil_tag('th', array(), pht('ID')), 196 - phutil_tag('th', array(), pht('Base')), 197 - phutil_tag('th', array(), pht('Description')), 198 - phutil_tag('th', array(), pht('Created')), 199 - phutil_tag('th', array(), pht('Lint')), 200 - phutil_tag('th', array(), pht('Unit')), 201 - ))); 192 + $select .= '</select>'; 202 193 203 - return hsprintf( 204 - '%s'. 194 + return 195 + id(new PhabricatorHeaderView()) 196 + ->setHeader(pht('Revision Update History')) 197 + ->render() . 205 198 '<div class="differential-revision-history differential-panel">'. 206 199 '<form action="#toc">'. 207 200 '<table class="differential-revision-history-table">'. 208 - '%s'. 201 + '<tr>'. 202 + '<th>'.pht('Diff').'</th>'. 203 + '<th>'.pht('ID').'</th>'. 204 + '<th>'.pht('Base').'</th>'. 205 + '<th>'.pht('Description').'</th>'. 206 + '<th>'.pht('Created').'</th>'. 207 + '<th>'.pht('Lint').'</th>'. 208 + '<th>'.pht('Unit').'</th>'. 209 + '</tr>'. 210 + implode("\n", $rows). 209 211 '<tr>'. 210 212 '<td colspan="9" class="diff-differ-submit">'. 211 - '<label>%s</label>'. 212 - '<button>%s</button>'. 213 + '<label>'.pht('Whitespace Changes: %s', $select).'</label>'. 214 + '<button>'.pht('Show Diff').'</button>'. 213 215 '</td>'. 214 216 '</tr>'. 215 217 '</table>'. 216 218 '</form>'. 217 - '</div>', 218 - id(new PhabricatorHeaderView()) 219 - ->setHeader(pht('Revision Update History')) 220 - ->render(), 221 - phutil_implode_html("\n", $rows), 222 - pht('Whitespace Changes: %s', $select), 223 - pht('Show Diff')); 219 + '</div>'; 224 220 } 225 221 226 222 const STAR_NONE = 'none';

+2 -2

src/applications/diffusion/controller/DiffusionBrowseController.php

··· 21 21 $title = 'Tag: '.$drequest->getSymbolicCommit(); 22 22 23 23 $tag_view = new AphrontPanelView(); 24 - $tag_view->setHeader($title); 24 + $tag_view->setHeader(phutil_escape_html($title)); 25 25 $tag_view->appendChild( 26 26 $this->markupText($drequest->getTagContent())); 27 27 ··· 106 106 107 107 private function markupText($text) { 108 108 $engine = PhabricatorMarkupEngine::newDiffusionMarkupEngine(); 109 - $text = $engine->markupText($text); 109 + $text = phutil_safe_html($engine->markupText($text)); 110 110 111 111 $text = phutil_tag( 112 112 'div',

+18 -12

src/applications/diffusion/controller/DiffusionCommitController.php

··· 97 97 array( 98 98 'class' => 'diffusion-commit-message phabricator-remarkup', 99 99 ), 100 - $engine->markupText($commit_data->getCommitMessage()))); 100 + phutil_safe_html( 101 + $engine->markupText($commit_data->getCommitMessage())))); 101 102 102 103 $content[] = $top_anchor; 103 104 $content[] = $headsup_view; ··· 448 449 foreach ($parents as $parent) { 449 450 $parent_links[] = $handles[$parent->getPHID()]->renderLink(); 450 451 } 451 - $props['Parents'] = phutil_implode_html(" \xC2\xB7 ", $parent_links); 452 + $props['Parents'] = array_interleave( 453 + " \xC2\xB7 ", 454 + $parent_links); 452 455 } 453 456 454 457 $request = $this->getDiffusionRequest(); ··· 485 488 foreach ($task_phids as $phid) { 486 489 $task_list[] = $handles[$phid]->renderLink(); 487 490 } 488 - $task_list = phutil_implode_html(phutil_tag('br'), $task_list); 491 + $task_list = array_interleave(phutil_tag('br'), $task_list); 489 492 $props['Tasks'] = $task_list; 490 493 } 491 494 ··· 494 497 foreach ($proj_phids as $phid) { 495 498 $proj_list[] = $handles[$phid]->renderLink(); 496 499 } 497 - $proj_list = phutil_implode_html(phutil_tag('br'), $proj_list); 500 + $proj_list = array_interleave(phutil_tag('br'), $proj_list); 498 501 $props['Projects'] = $proj_list; 499 502 } 500 503 ··· 686 689 'inlineuri' => '/diffusion/inline/preview/'.$commit->getPHID().'/', 687 690 )); 688 691 689 - $preview_panel = hsprintf( 692 + $preview_panel = 690 693 '<div class="aphront-panel-preview aphront-panel-flush"> 691 694 <div id="audit-preview"> 692 695 <div class="aphront-panel-preview-loading-text"> ··· 695 698 </div> 696 699 <div id="inline-comment-preview"> 697 700 </div> 698 - </div>'); 701 + </div>'; 699 702 700 703 // TODO: This is pretty awkward, unify the CSS between Diffusion and 701 704 // Differential better. 702 705 require_celerity_resource('differential-core-view-css'); 703 706 704 - return phutil_tag( 707 + return phutil_render_tag( 705 708 'div', 706 709 array( 707 710 'id' => $pane_id, 708 711 ), 709 - hsprintf( 710 - '<div class="differential-add-comment-panel">%s%s%s</div>', 712 + phutil_render_tag( 713 + 'div', 714 + array( 715 + 'class' => 'differential-add-comment-panel', 716 + ), 711 717 id(new PhabricatorAnchorView()) 712 718 ->setAnchorName('comment') 713 719 ->setNavigationMarker(true) 714 - ->render(), 715 - $panel->render(), 720 + ->render(). 721 + $panel->render(). 716 722 $preview_panel)); 717 723 } 718 724 ··· 932 938 $ref); 933 939 } 934 940 935 - return phutil_implode_html(', ', $ref_links); 941 + return array_interleave(', ', $ref_links); 936 942 } 937 943 938 944 private function buildRawDiffResponse(DiffusionRequest $drequest) {

+1 -1

src/applications/diffusion/controller/DiffusionExternalController.php

··· 103 103 'href' => $href, 104 104 ), 105 105 'r'.$repo->getCallsign().$commit->getCommitIdentifier()), 106 - $commit->loadCommitData()->getSummary(), 106 + phutil_escape_html($commit->loadCommitData()->getSummary()), 107 107 ); 108 108 } 109 109

+2 -2

src/applications/diffusion/controller/DiffusionHomeController.php

··· 19 19 'href' => $shortcut->getHref(), 20 20 ), 21 21 $shortcut->getName()), 22 - $shortcut->getDescription(), 22 + phutil_escape_html($shortcut->getDescription()), 23 23 ); 24 24 } 25 25 ··· 130 130 'href' => '/diffusion/'.$repository->getCallsign().'/', 131 131 ), 132 132 $repository->getName()), 133 - $repository->getDetail('description'), 133 + phutil_escape_html($repository->getDetail('description')), 134 134 PhabricatorRepositoryType::getNameForRepositoryType( 135 135 $repository->getVersionControlSystem()), 136 136 $size,

+5 -4

src/applications/diffusion/controller/DiffusionLintController.php

··· 71 71 '<a href="%s">%s</a>', 72 72 $drequest->generateURI(array('action' => 'lint')), 73 73 $drequest->getCallsign()), 74 - ArcanistLintSeverity::getStringForSeverity($code['maxSeverity']), 75 - $code['code'], 76 - $code['maxName'], 77 - $code['maxDescription'], 74 + phutil_escape_html(ArcanistLintSeverity::getStringForSeverity( 75 + $code['maxSeverity'])), 76 + phutil_escape_html($code['code']), 77 + phutil_escape_html($code['maxName']), 78 + phutil_escape_html($code['maxDescription']), 78 79 ); 79 80 } 80 81

+5 -4

src/applications/diffusion/controller/DiffusionLintDetailsController.php

··· 34 34 $rows[] = array( 35 35 $path, 36 36 $line, 37 - ArcanistLintSeverity::getStringForSeverity($message['severity']), 38 - $message['name'], 39 - $message['description'], 37 + phutil_escape_html(ArcanistLintSeverity::getStringForSeverity( 38 + $message['severity'])), 39 + phutil_escape_html($message['name']), 40 + phutil_escape_html($message['description']), 40 41 ); 41 42 } 42 43 ··· 70 71 71 72 $content[] = id(new AphrontPanelView()) 72 73 ->setHeader( 73 - ($lint != '' ? $lint." \xC2\xB7 " : ''). 74 + ($lint != '' ? phutil_escape_html($lint)." \xC2\xB7 " : ''). 74 75 pht('%d Lint Message(s)', count($messages))) 75 76 ->setCaption($link) 76 77 ->appendChild($table)

+4 -2

src/applications/diffusion/controller/DiffusionRepositoryController.php

··· 68 68 'View Full Commit History'); 69 69 70 70 $panel = new AphrontPanelView(); 71 - $panel->setHeader(hsprintf("Recent Commits · %s", $all)); 71 + $panel->setHeader("Recent Commits · {$all}"); 72 72 $panel->appendChild($history_table); 73 73 $panel->setNoBackground(); 74 74 ··· 125 125 126 126 $rows = array(); 127 127 foreach ($properties as $key => $value) { 128 - $rows[] = array($key, $value); 128 + $rows[] = array( 129 + phutil_escape_html($key), 130 + phutil_escape_html($value)); 129 131 } 130 132 131 133 $table = new AphrontTableView($rows);

+8 -8

src/applications/diffusion/controller/DiffusionSymbolController.php

··· 81 81 $project_name = '-'; 82 82 } 83 83 84 - $file = $symbol->getPath(); 85 - $line = $symbol->getLineNumber(); 84 + $file = phutil_escape_html($symbol->getPath()); 85 + $line = phutil_escape_html($symbol->getLineNumber()); 86 86 87 87 $repo = $symbol->getRepository(); 88 88 if ($repo) { ··· 101 101 ), 102 102 $file.':'.$line); 103 103 } else if ($file) { 104 - $location = $file.':'.$line; 104 + $location = phutil_escape_html($file.':'.$line); 105 105 } else { 106 106 $location = '?'; 107 107 } 108 108 109 109 $rows[] = array( 110 - $symbol->getSymbolType(), 111 - $symbol->getSymbolContext(), 112 - $symbol->getSymbolName(), 113 - $symbol->getSymbolLanguage(), 114 - $project_name, 110 + phutil_escape_html($symbol->getSymbolType()), 111 + phutil_escape_html($symbol->getSymbolContext()), 112 + phutil_escape_html($symbol->getSymbolName()), 113 + phutil_escape_html($symbol->getSymbolLanguage()), 114 + phutil_escape_html($project_name), 115 115 $location, 116 116 ); 117 117 }

+3 -2

src/applications/diffusion/query/browse/DiffusionBrowseQuery.php

··· 119 119 $readme_content = $highlighter 120 120 ->getHighlightFuture($readme_content) 121 121 ->resolve(); 122 - $readme_content = phutil_escape_html_newlines($readme_content); 122 + $readme_content = nl2br($readme_content); 123 + $readme_content = phutil_safe_html($readme_content); 123 124 124 125 require_celerity_resource('syntax-highlighting-css'); 125 126 $class = 'remarkup-code'; 126 127 } else { 127 128 // Markup extensionless files as remarkup so we get links and such. 128 129 $engine = PhabricatorMarkupEngine::newDiffusionMarkupEngine(); 129 - $readme_content = $engine->markupText($readme_content); 130 + $readme_content = phutil_safe_html($engine->markupText($readme_content)); 130 131 131 132 $class = 'phabricator-remarkup'; 132 133 }

+16 -9

src/applications/diffusion/view/DiffusionBrowseTableView.php

··· 55 55 $committer = self::renderName($committer); 56 56 } 57 57 if ($author != $committer) { 58 - $author = hsprintf('%s/%s', $author, $committer); 58 + $author .= '/'.$committer; 59 59 } 60 60 } 61 61 ··· 132 132 $browse_text = $path->getPath().'/'; 133 133 $dir_slash = '/'; 134 134 135 - $browse_link = phutil_tag('strong', array(), $this->linkBrowse( 135 + $browse_link = '<strong>'.$this->linkBrowse( 136 136 $base_path.$path->getPath().$dir_slash, 137 137 array( 138 - 'text' => $this->renderPathIcon('dir', $browse_text), 139 - ))); 138 + 'text' => $this->renderPathIcon( 139 + 'dir', 140 + $browse_text), 141 + )).'</strong>'; 140 142 } else if ($file_type == DifferentialChangeType::FILE_SUBMODULE) { 141 143 $browse_text = $path->getPath().'/'; 142 - $browse_link = phutil_tag('strong', array(), $this->linkExternal( 143 - $path->getHash(), 144 - $path->getExternalURI(), 145 - $this->renderPathIcon('ext', $browse_text))); 144 + $browse_link = 145 + '<strong>'. 146 + $this->linkExternal( 147 + $path->getHash(), 148 + $path->getExternalURI(), 149 + $this->renderPathIcon( 150 + 'ext', 151 + $browse_text)). 152 + '</strong>'; 146 153 } else { 147 154 if ($file_type == DifferentialChangeType::FILE_SYMLINK) { 148 155 $type = 'link'; ··· 183 190 184 191 $need_pull[$uri] = $dict; 185 192 foreach ($dict as $k => $uniq) { 186 - $dict[$k] = phutil_tag('span', array('id' => $uniq), ''); 193 + $dict[$k] = '<span id="'.$uniq.'"></span>'; 187 194 } 188 195 } 189 196

+4 -4

src/applications/diffusion/view/DiffusionCommentListView.php

··· 87 87 ++$num; 88 88 } 89 89 90 - return phutil_tag( 91 - 'div', 92 - array('class' => 'diffusion-comment-list'), 93 - $comments); 90 + return 91 + '<div class="diffusion-comment-list">'. 92 + $this->renderSingleView($comments). 93 + '</div>'; 94 94 } 95 95 96 96 }

+13 -14

src/applications/diffusion/view/DiffusionCommentView.php

··· 114 114 $actions = array(); 115 115 if ($action == PhabricatorAuditActionConstants::ADD_CCS) { 116 116 $rendered_ccs = $this->renderHandleList($added_ccs); 117 - $actions[] = hsprintf("%s added CCs: %s.", $author_link, $rendered_ccs); 117 + $actions[] = "{$author_link} added CCs: {$rendered_ccs}."; 118 118 } else if ($action == PhabricatorAuditActionConstants::ADD_AUDITORS) { 119 119 $rendered_auditors = $this->renderHandleList($added_auditors); 120 - $actions[] = hsprintf( 121 - "%s added auditors: %s.", 122 - $author_link, 123 - $rendered_auditors); 120 + $actions[] = "{$author_link} added auditors: ". 121 + "{$rendered_auditors}."; 124 122 } else { 125 - $actions[] = hsprintf("%s %s this commit.", $author_link, $verb); 123 + $actions[] = "{$author_link} ".phutil_escape_html($verb)." this commit."; 126 124 } 127 125 128 126 foreach ($actions as $key => $action) { 129 - $actions[$key] = phutil_tag('div', array(), $action); 127 + $actions[$key] = '<div>'.$action.'</div>'; 130 128 } 131 129 132 130 return $actions; ··· 139 137 if (!strlen($comment->getContent()) && empty($this->inlineComments)) { 140 138 return null; 141 139 } else { 142 - return hsprintf( 143 - '<div class="phabricator-remarkup">%s%s</div>', 144 - $engine->getOutput( 145 - $comment, 146 - PhabricatorAuditComment::MARKUP_FIELD_BODY), 147 - $this->renderSingleView($this->renderInlines())); 140 + return 141 + '<div class="phabricator-remarkup">'. 142 + $engine->getOutput( 143 + $comment, 144 + PhabricatorAuditComment::MARKUP_FIELD_BODY). 145 + $this->renderSingleView($this->renderInlines()). 146 + '</div>'; 148 147 } 149 148 } 150 149 ··· 187 186 foreach ($phids as $phid) { 188 187 $result[] = $this->handles[$phid]->renderLink(); 189 188 } 190 - return phutil_implode_html(', ', $result); 189 + return implode(', ', $result); 191 190 } 192 191 193 192 private function renderClasses() {

+1 -1

src/applications/diffusion/view/DiffusionCommitChangeTableView.php

··· 51 51 ), 52 52 $path); 53 53 } else { 54 - $path_column = $path; 54 + $path_column = phutil_escape_html($path); 55 55 } 56 56 57 57 $rows[] = array(

+2 -2

src/applications/diffusion/view/DiffusionHistoryTableView.php

··· 107 107 } else { 108 108 $committer = self::renderName($committer); 109 109 } 110 - $author = hsprintf('%s/%s', $author, $committer); 110 + $author .= '/'.$committer; 111 111 } 112 112 113 113 $commit = $history->getCommit(); ··· 118 118 $path = null, 119 119 $history->getCommitIdentifier()); 120 120 } else { 121 - $change = phutil_tag('em', array(), "Importing\xE2\x80\xA6"); 121 + $change = "<em>Importing\xE2\x80\xA6</em>"; 122 122 } 123 123 124 124 $rows[] = array(

+1

src/applications/diffusion/view/DiffusionTagListView.php

··· 79 79 $description = $tag->getDescription(); 80 80 } 81 81 } 82 + $description = phutil_escape_html($description); 82 83 83 84 $rows[] = array( 84 85 $tag_link,

+1 -1

src/applications/diffusion/view/DiffusionView.php

··· 156 156 ), 157 157 $email->getDisplayName()); 158 158 } 159 - return hsprintf('%s', $name); 159 + return phutil_escape_html($name); 160 160 } 161 161 162 162 }

+4 -1

src/applications/diviner/controller/DivinerListController.php

··· 50 50 $flavor); 51 51 } 52 52 53 - $out = phutil_tag('div', array('class' => 'aphront-directory-list'), $out); 53 + $out = 54 + '<div class="aphront-directory-list">'. 55 + implode("\n", $out). 56 + '</div>'; 54 57 55 58 return $this->buildApplicationPage( 56 59 $out,

+1 -1

src/applications/drydock/controller/DrydockController.php

··· 44 44 'href' => $lease_uri, 45 45 ), 46 46 $log->getLeaseID()), 47 - $log->getMessage(), 47 + phutil_escape_html($log->getMessage()), 48 48 phabricator_date($log->getEpoch(), $user), 49 49 ); 50 50 }

+7 -6

src/applications/drydock/controller/DrydockLeaseReleaseController.php

··· 24 24 $dialog = id(new AphrontDialogView()) 25 25 ->setUser($user) 26 26 ->setTitle(pht('Lease Not Active')) 27 - ->appendChild(phutil_tag('p', array(), pht( 28 - 'You can only release "active" leases.'))) 27 + ->appendChild( 28 + '<p>'.pht('You can only release "active" leases.').'</p>') 29 29 ->addCancelButton($lease_uri); 30 30 31 31 return id(new AphrontDialogResponse())->setDialog($dialog); ··· 35 35 $dialog = id(new AphrontDialogView()) 36 36 ->setUser($user) 37 37 ->setTitle(pht('Really release lease?')) 38 - ->appendChild(phutil_tag('p', array(), pht( 39 - 'Releasing a lease may cause trouble for the lease holder and '. 40 - 'trigger cleanup of the underlying resource. It can not be '. 41 - 'undone. Continue?'))) 38 + ->appendChild( 39 + '<p>'.pht( 40 + 'Releasing a lease may cause trouble for the lease holder and '. 41 + 'trigger cleanup of the underlying resource. It can not be '. 42 + 'undone. Continue?').'</p>') 42 43 ->addSubmitButton(pht('Release Lease')) 43 44 ->addCancelButton($lease_uri); 44 45

+6 -5

src/applications/drydock/controller/DrydockResourceCloseController.php

··· 24 24 $dialog = id(new AphrontDialogView()) 25 25 ->setUser($user) 26 26 ->setTitle(pht('Resource Not Open')) 27 - ->appendChild(phutil_tag('p', array(), pht( 28 - 'You can only close "open" resources.'))) 27 + ->appendChild( 28 + '<p>'.pht('You can only close "open" resources.').'</p>') 29 29 ->addCancelButton($resource_uri); 30 30 31 31 return id(new AphrontDialogResponse())->setDialog($dialog); ··· 35 35 $dialog = id(new AphrontDialogView()) 36 36 ->setUser($user) 37 37 ->setTitle(pht('Really close resource?')) 38 - ->appendChild(phutil_tag('p', array(), pht( 39 - 'Closing a resource releases all leases and destroys the '. 40 - 'resource. It can not be undone. Continue?'))) 38 + ->appendChild( 39 + '<p>'.pht( 40 + 'Closing a resource releases all leases and destroys the '. 41 + 'resource. It can not be undone. Continue?').'</p>') 41 42 ->addSubmitButton(pht('Close Resource')) 42 43 ->addCancelButton($resource_uri); 43 44

+4 -1

src/applications/fact/controller/PhabricatorFactHomeController.php

··· 32 32 $name = $spec->getName(); 33 33 $value = $spec->formatValueForDisplay($user, $fact->getValueX()); 34 34 35 - $rows[] = array($name, $value); 35 + $rows[] = array( 36 + phutil_escape_html($name), 37 + phutil_escape_html($value), 38 + ); 36 39 } 37 40 38 41 $table = new AphrontTableView($rows);

+6 -5

src/applications/feed/builder/PhabricatorFeedBuilder.php

··· 40 40 41 41 if ($date !== $last_date) { 42 42 if ($last_date !== null) { 43 - $null_view->appendChild(hsprintf( 44 - '<div class="phabricator-feed-story-date-separator"></div>')); 43 + $null_view->appendChild( 44 + '<div class="phabricator-feed-story-date-separator"></div>'); 45 45 } 46 46 $last_date = $date; 47 47 $null_view->appendChild( ··· 59 59 $null_view->appendChild($view); 60 60 } 61 61 62 - return id(new AphrontNullView())->appendChild(hsprintf( 63 - '<div class="phabricator-feed-frame">%s</div>', 64 - $null_view->render())); 62 + return id(new AphrontNullView())->appendChild( 63 + '<div class="phabricator-feed-frame">'. 64 + $null_view->render(). 65 + '</div>'); 65 66 } 66 67 67 68 }

+1 -1

src/applications/feed/story/PhabricatorFeedStory.php

··· 224 224 foreach ($phids as $phid) { 225 225 $list[] = $this->linkTo($phid); 226 226 } 227 - return phutil_implode_html(', ', $list); 227 + return implode(', ', $list); 228 228 } 229 229 230 230 final protected function linkTo($phid) {

+5 -5

src/applications/feed/story/PhabricatorFeedStoryAudit.php

··· 15 15 $action = $this->getValue('action'); 16 16 $verb = PhabricatorAuditActionConstants::getActionPastTenseVerb($action); 17 17 18 - $view->setTitle(hsprintf( 19 - '%s %s commit %s.', 20 - $this->linkTo($author_phid), 21 - $verb, 22 - $this->linkTo($commit_phid))); 18 + $view->setTitle( 19 + $this->linkTo($author_phid). 20 + " {$verb} commit ". 21 + $this->linkTo($commit_phid). 22 + "."); 23 23 24 24 $view->setEpoch($this->getEpoch()); 25 25

+4 -11

src/applications/feed/story/PhabricatorFeedStoryCommit.php

··· 19 19 if ($data->getValue('authorPHID')) { 20 20 $author = $this->linkTo($data->getValue('authorPHID')); 21 21 } else { 22 - $author = $data->getValue('authorName'); 22 + $author = phutil_escape_html($data->getValue('authorName')); 23 23 } 24 24 25 25 $committer = null; 26 26 if ($data->getValue('committerPHID')) { 27 27 $committer = $this->linkTo($data->getValue('committerPHID')); 28 28 } else if ($data->getValue('committerName')) { 29 - $committer = $data->getValue('committerName'); 29 + $committer = phutil_escape_html($data->getValue('committerName')); 30 30 } 31 31 32 32 $commit = $this->linkTo($data->getValue('commitPHID')); ··· 37 37 } 38 38 39 39 if ($author) { 40 - $title = hsprintf( 41 - "%s committed %s (authored by %s)", 42 - $committer, 43 - $commit, 44 - $author); 40 + $title = "{$committer} committed {$commit} (authored by {$author})"; 45 41 } else { 46 - $title = hsprintf( 47 - "%s committed %s", 48 - $committer, 49 - $commit); 42 + $title = "{$committer} committed {$commit}"; 50 43 } 51 44 52 45 $view = new PhabricatorFeedStoryView();

+1 -5

src/applications/feed/story/PhabricatorFeedStoryDifferential.php

··· 51 51 52 52 $verb = DifferentialAction::getActionPastTenseVerb($action); 53 53 54 - $one_line = hsprintf( 55 - '%s %s revision %s', 56 - $actor_link, 57 - $verb, 58 - $revision_link); 54 + $one_line = "{$actor_link} {$verb} revision {$revision_link}"; 59 55 60 56 return $one_line; 61 57 }

+4 -11

src/applications/feed/story/PhabricatorFeedStoryManiphest.php

··· 66 66 case ManiphestAction::ACTION_REASSIGN: 67 67 if ($owner_phid) { 68 68 if ($owner_phid == $actor_phid) { 69 - $one_line = hsprintf('%s claimed %s', $actor_link, $task_link); 69 + $one_line = "{$actor_link} claimed {$task_link}"; 70 70 } else { 71 - $one_line = hsprintf('%s %s %s to %s', 72 - $actor_link, 73 - $verb, 74 - $owner_link, 75 - $task_link); 71 + $one_line = "{$actor_link} {$verb} {$task_link} to {$owner_link}"; 76 72 } 77 73 } else { 78 - $one_line = hsprintf( 79 - '%s placed %s up for grabs', 80 - $actor_link, 81 - $task_link); 74 + $one_line = "{$actor_link} placed {$task_link} up for grabs"; 82 75 } 83 76 break; 84 77 default: 85 - $one_line = hsprintf('%s %s %s', $actor_link, $verb, $task_link); 78 + $one_line = "{$actor_link} {$verb} {$task_link}"; 86 79 break; 87 80 } 88 81

+4 -5

src/applications/feed/story/PhabricatorFeedStoryPhriction.php

··· 17 17 $action = $data->getValue('action'); 18 18 $verb = PhrictionActionConstants::getActionPastTenseVerb($action); 19 19 20 - $view->setTitle(hsprintf( 21 - '%s %s the document %s.', 22 - $this->linkTo($author_phid), 23 - $verb, 24 - $this->linkTo($document_phid))); 20 + $view->setTitle( 21 + $this->linkTo($author_phid). 22 + " {$verb} the document ". 23 + $this->linkTo($document_phid).'.'); 25 24 $view->setEpoch($data->getEpoch()); 26 25 27 26 $action = $data->getValue('action');

+35 -32

src/applications/feed/story/PhabricatorFeedStoryProject.php

··· 21 21 switch ($type) { 22 22 case PhabricatorProjectTransactionType::TYPE_NAME: 23 23 if (strlen($old)) { 24 - $action = hsprintf( 25 - 'renamed project %s from %s to %s.', 26 - $this->linkTo($proj_phid), 27 - $this->renderString($old), 28 - $this->renderString($new)); 24 + $action = 'renamed project '. 25 + $this->linkTo($proj_phid). 26 + ' from '. 27 + $this->renderString($old). 28 + ' to '. 29 + $this->renderString($new). 30 + '.'; 29 31 } else { 30 - $action = hsprintf( 31 - 'created project %s (as %s).', 32 - $this->linkTo($proj_phid), 33 - $this->renderString($new)); 32 + $action = 'created project '. 33 + $this->linkTo($proj_phid). 34 + ' (as '. 35 + $this->renderString($new). 36 + ').'; 34 37 } 35 38 break; 36 39 case PhabricatorProjectTransactionType::TYPE_STATUS: 37 - $action = hsprintf( 38 - 'changed project %s status from %s to %s.', 39 - $this->linkTo($proj_phid), 40 - $this->renderString(PhabricatorProjectStatus::getNameForStatus($old)), 41 - $this->renderString(PhabricatorProjectStatus::getNameForStatus($new)) 42 - ); 40 + $action = 'changed project '. 41 + $this->linkTo($proj_phid). 42 + ' status from '. 43 + $this->renderString( 44 + PhabricatorProjectStatus::getNameForStatus($old)). 45 + ' to '. 46 + $this->renderString( 47 + PhabricatorProjectStatus::getNameForStatus($new)). 48 + '.'; 43 49 break; 44 50 case PhabricatorProjectTransactionType::TYPE_MEMBERS: 45 51 $add = array_diff($new, $old); ··· 47 53 48 54 if ((count($add) == 1) && (count($rem) == 0) && 49 55 (head($add) == $author_phid)) { 50 - $action = hsprintf('joined project %s.', $this->linkTo($proj_phid)); 56 + $action = 'joined project '.$this->linkTo($proj_phid).'.'; 51 57 } else if ((count($add) == 0) && (count($rem) == 1) && 52 58 (head($rem) == $author_phid)) { 53 - $action = hsprintf('left project %s.', $this->linkTo($proj_phid)); 59 + $action = 'left project '.$this->linkTo($proj_phid).'.'; 54 60 } else if (empty($rem)) { 55 - $action = hsprintf( 56 - 'added members to project %s: %s.', 57 - $this->linkTo($proj_phid), 58 - $this->renderHandleList($add)); 61 + $action = 'added members to project '. 62 + $this->linkTo($proj_phid).': '. 63 + $this->renderHandleList($add).'.'; 59 64 } else if (empty($add)) { 60 - $action = hsprintf( 61 - 'removed members from project %s: %s.', 62 - $this->linkTo($proj_phid), 63 - $this->renderHandleList($rem)); 65 + $action = 'removed members from project '. 66 + $this->linkTo($proj_phid).': '. 67 + $this->renderHandleList($rem).'.'; 64 68 } else { 65 - $action = hsprintf( 66 - 'changed members of project %s, added: %s; removed: %s.', 67 - $this->linkTo($proj_phid), 68 - $this->renderHandleList($add), 69 - $this->renderHandleList($rem)); 69 + $action = 'changed members of project '. 70 + $this->linkTo($proj_phid).', added: '. 71 + $this->renderHandleList($add).'; removed: '. 72 + $this->renderHandleList($rem).'.'; 70 73 } 71 74 break; 72 75 default: 73 - $action = hsprintf('updated project %s.', $this->linkTo($proj_phid)); 76 + $action = 'updated project '.$this->linkTo($proj_phid).'.'; 74 77 break; 75 78 } 76 - $view->setTitle(hsprintf('%s %s', $this->linkTo($author_phid), $action)); 79 + $view->setTitle($this->linkTo($author_phid).' '.$action); 77 80 $view->setOneLineStory(true); 78 81 79 82 return $view;

+4 -4

src/applications/feed/view/PhabricatorFeedStoryView.php

··· 58 58 $classes[] = 'phabricator-notification-unread'; 59 59 } 60 60 61 - return javelin_tag( 61 + return javelin_render_tag( 62 62 'div', 63 63 array( 64 64 'class' => implode(' ', $classes), ··· 72 72 73 73 public function render() { 74 74 75 - $head = phutil_tag( 75 + $head = phutil_render_tag( 76 76 'div', 77 77 array( 78 78 'class' => 'phabricator-feed-story-head', ··· 84 84 $image_style = null; 85 85 86 86 if (!$this->oneLine) { 87 - $body = phutil_tag( 87 + $body = phutil_render_tag( 88 88 'div', 89 89 array( 90 90 'class' => 'phabricator-feed-story-body', ··· 111 111 112 112 require_celerity_resource('phabricator-feed-css'); 113 113 114 - return phutil_tag( 114 + return phutil_render_tag( 115 115 'div', 116 116 array( 117 117 'class' => $this->oneLine

+1 -1

src/applications/flag/events/PhabricatorFlagsUIEventListener.php

··· 31 31 $flag_action = id(new PhabricatorActionView()) 32 32 ->setWorkflow(true) 33 33 ->setHref('/flag/delete/'.$flag->getID().'/') 34 - ->setName('Remove '.$color.' Flag') 34 + ->setName(phutil_escape_html('Remove '.$color.' Flag')) 35 35 ->setIcon('flag-'.$flag->getColor()); 36 36 } else { 37 37 $flag_action = id(new PhabricatorActionView())

+1 -1

src/applications/flag/view/PhabricatorFlagListView.php

··· 27 27 ), 28 28 ''), 29 29 $flag->getHandle()->renderLink(), 30 - $flag->getNote(), 30 + phutil_escape_html($flag->getNote()), 31 31 phabricator_datetime($flag->getDateCreated(), $user), 32 32 phabricator_form( 33 33 $user,

+5 -5

src/applications/help/controller/PhabricatorHelpKeyboardShortcutController.php

··· 27 27 foreach ($shortcut['keys'] as $stroke) { 28 28 $keystrokes[] = phutil_tag('kbd', array(), $stroke); 29 29 } 30 - $keystrokes = phutil_implode_html(' or ', $keystrokes); 30 + $keystrokes = array_interleave(' or ', $keystrokes); 31 31 $rows[] = phutil_tag( 32 32 'tr', 33 33 array(), ··· 37 37 )); 38 38 } 39 39 40 - $table = phutil_tag( 41 - 'table', 42 - array('class' => 'keyboard-shortcut-help'), 43 - $rows); 40 + $table = 41 + '<table class="keyboard-shortcut-help">'. 42 + implode('', $rows). 43 + '</table>'; 44 44 45 45 $dialog = id(new AphrontDialogView()) 46 46 ->setUser($user)

+12 -7

src/applications/herald/controller/HeraldTranscriptController.php

··· 301 301 } 302 302 303 303 $rows[] = array( 304 - $action_names[$apply_xscript->getAction()], 305 - $target, 304 + phutil_escape_html($action_names[$apply_xscript->getAction()]), 305 + phutil_escape_html($target), 306 306 hsprintf( 307 307 '<strong>Taken because:</strong> %s<br />'. 308 308 '<strong>Outcome:</strong> %s %s', ··· 437 437 438 438 $panel = new AphrontPanelView(); 439 439 $panel->setHeader('Rule Details'); 440 - $panel->appendChild(phutil_tag( 441 - 'ul', 442 - array('class' => 'herald-explain-list'), 443 - $rule_markup)); 440 + $panel->appendChild( 441 + '<ul class="herald-explain-list">'. 442 + implode("\n", $rule_markup). 443 + '</ul>'); 444 444 445 445 return $panel; 446 446 } ··· 487 487 'class' => 'herald-field-value-transcript', 488 488 ), 489 489 $value); 490 + } else { 491 + $value = phutil_escape_html($value); 490 492 } 491 493 } 492 494 493 - $rows[] = array($name, $value); 495 + $rows[] = array( 496 + phutil_escape_html($name), 497 + $value, 498 + ); 494 499 } 495 500 496 501 $table = new AphrontTableView($rows);

+3 -3

src/applications/herald/view/HeraldRuleEditHistoryView.php

··· 32 32 33 33 switch ($edit->getAction()) { 34 34 case 'create': 35 - $details = pht("Created rule '%s'.", $rule_name); 35 + $details = "Created rule '{$rule_name}'."; 36 36 break; 37 37 case 'delete': 38 - $details = pht("Deleted rule '%s'.", $rule_name); 38 + $details = "Deleted rule '{$rule_name}'."; 39 39 break; 40 40 case 'edit': 41 41 default: 42 - $details = pht("Edited rule '%s'.", $rule_name); 42 + $details = "Edited rule '{$rule_name}'."; 43 43 break; 44 44 } 45 45

+4 -4

src/applications/macro/controller/PhabricatorMacroDisableController.php

··· 43 43 $dialog 44 44 ->setUser($request->getUser()) 45 45 ->setTitle(pht('Really disable macro?')) 46 - ->appendChild(phutil_tag('p', array(), pht( 47 - 'Really disable the much-beloved image macro %s? '. 48 - 'It will be sorely missed.', 49 - $macro->getName()))) 46 + ->appendChild( 47 + '<p>'.pht('Really disable the much-beloved image macro %s? '. 48 + 'It will be sorely missed.', phutil_escape_html($macro->getName())). 49 + '</p>') 50 50 ->setSubmitURI($this->getApplicationURI('/disable/'.$this->id.'/')) 51 51 ->addSubmitButton(pht('Disable')) 52 52 ->addCancelButton($view_uri);

+1 -1

src/applications/macro/controller/PhabricatorMacroViewController.php

··· 147 147 foreach ($subscribers as $subscriber) { 148 148 $sub_view[] = $this->getHandle($subscriber)->renderLink(); 149 149 } 150 - $sub_view = phutil_implode_html(', ', $sub_view); 150 + $sub_view = array_interleave(', ', $sub_view); 151 151 } else { 152 152 $sub_view = phutil_tag('em', array(), pht('None')); 153 153 }

+4 -4

src/applications/macro/storage/PhabricatorMacroTransaction.php

··· 64 64 return pht( 65 65 '%s renamed this macro from "%s" to "%s".', 66 66 $this->renderHandleLink($author_phid), 67 - $old, 68 - $new); 67 + phutil_escape_html($old), 68 + phutil_escape_html($new)); 69 69 break; 70 70 case PhabricatorMacroTransactionType::TYPE_DISABLED: 71 71 if ($new) { ··· 109 109 '%s renamed %s from "%s" to "%s".', 110 110 $this->renderHandleLink($author_phid), 111 111 $this->renderHandleLink($object_phid), 112 - $old, 113 - $new); 112 + phutil_escape_html($old), 113 + phutil_escape_html($new)); 114 114 case PhabricatorMacroTransactionType::TYPE_DISABLED: 115 115 if ($new) { 116 116 return pht(

+2 -2

src/applications/mailinglists/controller/PhabricatorMailingListsListController.php

··· 31 31 $rows = array(); 32 32 foreach ($lists as $list) { 33 33 $rows[] = array( 34 - $list->getName(), 35 - $list->getEmail(), 34 + phutil_escape_html($list->getName()), 35 + phutil_escape_html($list->getEmail()), 36 36 phutil_tag( 37 37 'a', 38 38 array(

+6 -2

src/applications/maniphest/auxiliaryfield/ManiphestAuxiliaryFieldDefaultSpecification.php

··· 152 152 switch ($this->getFieldType()) { 153 153 case self::TYPE_BOOL: 154 154 if ($this->getValue()) { 155 - return $this->getCheckboxValue(); 155 + return phutil_escape_html($this->getCheckboxValue()); 156 156 } else { 157 157 return null; 158 158 } 159 159 case self::TYPE_SELECT: 160 160 $display = idx($this->getSelectOptions(), $this->getValue()); 161 - return $display; 161 + return phutil_escape_html($display); 162 162 } 163 163 return parent::renderForDetailView(); 164 164 } ··· 201 201 "from '{$old}' to '{$new}'"; 202 202 } 203 203 break; 204 + } 205 + 206 + if ($target == self::RENDER_TARGET_HTML) { 207 + $desc = phutil_escape_html($desc); 204 208 } 205 209 206 210 return $desc;

+1 -1

src/applications/maniphest/auxiliaryfield/ManiphestAuxiliaryFieldSpecification.php

··· 71 71 } 72 72 73 73 public function renderForDetailView() { 74 - return $this->getValue(); 74 + return phutil_escape_html($this->getValue()); 75 75 } 76 76 77 77

+4 -4

src/applications/maniphest/controller/ManiphestExportController.php

··· 28 28 $dialog->setUser($user); 29 29 30 30 $dialog->setTitle('Excel Export Not Configured'); 31 - $dialog->appendChild(hsprintf( 31 + $dialog->appendChild( 32 32 '<p>This system does not have PHPExcel installed. This software '. 33 33 'component is required to export tasks to Excel. Have your system '. 34 34 'administrator install it from:</p>'. ··· 38 38 '</p>'. 39 39 '<br />'. 40 40 '<p>Your PHP "include_path" needs to be updated to include the '. 41 - 'PHPExcel Classes/ directory.</p>')); 41 + 'PHPExcel Classes/ directory.</p>'); 42 42 43 43 $dialog->addCancelButton('/maniphest/'); 44 44 return id(new AphrontDialogResponse())->setDialog($dialog); ··· 59 59 $dialog->setUser($user); 60 60 61 61 $dialog->setTitle('Export Tasks to Excel'); 62 - $dialog->appendChild(phutil_tag('p', array(), pht( 63 - 'Do you want to export the query results to Excel?'))); 62 + $dialog->appendChild( 63 + '<p>Do you want to export the query results to Excel?</p>'); 64 64 65 65 $dialog->addCancelButton('/maniphest/'); 66 66 $dialog->addSubmitButton('Export to Excel');

+3 -3

src/applications/maniphest/controller/ManiphestReportController.php

··· 244 244 )); 245 245 246 246 if ($handle) { 247 - $header = pht("Task Burn Rate for Project %s", $handle->renderLink()); 247 + $header = "Task Burn Rate for Project ".$handle->renderLink(); 248 248 $caption = hsprintf( 249 249 "<p>NOTE: This table reflects tasks <em>currently</em> in ". 250 250 "the project. If a task was opened in the past but added to ". ··· 363 363 $fmt = number_format($delta); 364 364 if ($delta > 0) { 365 365 $fmt = '+'.$fmt; 366 - $fmt = hsprintf('<span class="red">%s</span>', $fmt); 366 + $fmt = '<span class="red">'.$fmt.'</span>'; 367 367 } else { 368 - $fmt = hsprintf('<span class="green">%s</span>', $fmt); 368 + $fmt = '<span class="green">'.$fmt.'</span>'; 369 369 } 370 370 371 371 return array(

+2 -2

src/applications/maniphest/controller/ManiphestSavedQueryListController.php

··· 81 81 'value' => 0, 82 82 'checked' => ($default === null ? 'checked' : null), 83 83 )), 84 - phutil_tag('em', array(), 'No Default'), 84 + '<em>No Default</em>', 85 85 '', 86 86 '', 87 87 ); ··· 111 111 'Save Default Query')); 112 112 $panel->appendChild($table); 113 113 114 - $form = phabricator_form( 114 + $form = phabricator_render_form( 115 115 $user, 116 116 array( 117 117 'method' => 'POST',

+4 -3

src/applications/maniphest/controller/ManiphestTaskDescriptionPreviewController.php

··· 18 18 ManiphestTask::MARKUP_FIELD_DESCRIPTION, 19 19 $request->getUser()); 20 20 21 - $content = hsprintf( 22 - '<div class="phabricator-remarkup">%s</div>', 23 - $output); 21 + $content = 22 + '<div class="phabricator-remarkup">'. 23 + $output. 24 + '</div>'; 24 25 25 26 return id(new AphrontAjaxResponse()) 26 27 ->setContent($content);

+32 -27

src/applications/maniphest/controller/ManiphestTaskDetailController.php

··· 88 88 89 89 if ($parent_task) { 90 90 $context_bar = new AphrontContextBarView(); 91 - $context_bar->addButton(phutil_tag( 92 - 'a', 93 - array( 94 - 'href' => '/maniphest/task/create/?parent='.$parent_task->getID(), 95 - 'class' => 'green button', 96 - ), 97 - 'Create Another Subtask')); 98 - $context_bar->appendChild(hsprintf( 99 - 'Created a subtask of <strong>%s</strong>', 100 - $this->getHandle($parent_task->getPHID())->renderLink())); 91 + $context_bar->addButton( 92 + phutil_tag( 93 + 'a', 94 + array( 95 + 'href' => '/maniphest/task/create/?parent='.$parent_task->getID(), 96 + 'class' => 'green button', 97 + ), 98 + 'Create Another Subtask')); 99 + $context_bar->appendChild( 100 + 'Created a subtask of <strong>'. 101 + $this->getHandle($parent_task->getPHID())->renderLink(). 102 + '</strong>'); 101 103 } else if ($workflow == 'create') { 102 104 $context_bar = new AphrontContextBarView(); 103 - $context_bar->addButton(phutil_tag('label', array(), 'Create Another')); 104 - $context_bar->addButton(phutil_tag( 105 - 'a', 106 - array( 107 - 'href' => '/maniphest/task/create/?template='.$task->getID(), 108 - 'class' => 'green button', 109 - ), 105 + $context_bar->addButton('<label>Create Another:</label>'); 106 + $context_bar->addButton( 107 + phutil_tag( 108 + 'a', 109 + array( 110 + 'href' => '/maniphest/task/create/?template='.$task->getID(), 111 + 'class' => 'green button', 112 + ), 110 113 'Similar Task')); 111 - $context_bar->addButton(phutil_tag( 112 - 'a', 113 - array( 114 - 'href' => '/maniphest/task/create/', 115 - 'class' => 'green button', 116 - ), 114 + $context_bar->addButton( 115 + phutil_tag( 116 + 'a', 117 + array( 118 + 'href' => '/maniphest/task/create/', 119 + 'class' => 'green button', 120 + ), 117 121 'Empty Task')); 118 122 $context_bar->appendChild('New task created.'); 119 123 } ··· 301 305 $comment_header = id(new PhabricatorHeaderView()) 302 306 ->setHeader($is_serious ? pht('Add Comment') : pht('Weigh In')); 303 307 304 - $preview_panel = hsprintf( 308 + $preview_panel = 305 309 '<div class="aphront-panel-preview"> 306 310 <div id="transaction-preview"> 307 - <div class="aphront-panel-preview-loading-text">%s</div> 311 + <div class="aphront-panel-preview-loading-text"> 312 + '.pht('Loading preview...').' 313 + </div> 308 314 </div> 309 - </div>', 310 - pht('Loading preview...')); 315 + </div>'; 311 316 312 317 $transaction_view = new ManiphestTransactionListView(); 313 318 $transaction_view->setTransactions($transactions);

+4 -4

src/applications/maniphest/controller/ManiphestTaskEditController.php

··· 456 456 457 457 if ($files) { 458 458 $file_display = mpull($files, 'getName'); 459 - $file_display = phutil_implode_html(phutil_tag('br'), $file_display); 459 + $file_display = array_interleave(phutil_tag('br'), $file_display); 460 460 461 461 $form->appendChild( 462 462 id(new AphrontFormMarkupControl()) ··· 512 512 $panel->appendChild($form); 513 513 $panel->setNoBackground(); 514 514 515 - $description_preview_panel = hsprintf( 515 + $description_preview_panel = 516 516 '<div class="aphront-panel-preview aphront-panel-preview-full"> 517 517 <div class="maniphest-description-preview-header"> 518 518 Description Preview ··· 522 522 Loading preview... 523 523 </div> 524 524 </div> 525 - </div>'); 525 + </div>'; 526 526 527 527 Javelin::initBehavior( 528 528 'maniphest-description-preview', ··· 542 542 array( 543 543 $error_view, 544 544 $panel, 545 - $description_preview_panel, 545 + $description_preview_panel 546 546 ), 547 547 array( 548 548 'title' => $header_name,

+27 -23

src/applications/maniphest/controller/ManiphestTaskListController.php

··· 298 298 require_celerity_resource('maniphest-task-summary-css'); 299 299 300 300 $list_container = new AphrontNullView(); 301 - $list_container->appendChild(hsprintf( 302 - '<div class="maniphest-list-container">')); 301 + $list_container->appendChild('<div class="maniphest-list-container">'); 303 302 304 303 if (!$have_tasks) { 305 - $list_container->appendChild(hsprintf( 304 + $list_container->appendChild( 306 305 '<h1 class="maniphest-task-group-header">'. 307 306 'No matching tasks.'. 308 - '</h1>')); 307 + '</h1>'); 309 308 } else { 310 309 $pager = new AphrontPagerView(); 311 310 $pager->setURI($request->getRequestURI(), 'offset'); ··· 317 316 $max = min($pager->getOffset() + $page_size, $total_count); 318 317 $tot = $total_count; 319 318 320 - $list_container->appendChild(hsprintf( 319 + $cur = number_format($cur); 320 + $max = number_format($max); 321 + $tot = number_format($tot); 322 + 323 + $list_container->appendChild( 321 324 '<div class="maniphest-total-result-count">'. 322 - "Displaying tasks %s - %s of %s.". 323 - '</div>', 324 - number_format($cur), 325 - number_format($max), 326 - number_format($tot))); 325 + "Displaying tasks {$cur} - {$max} of {$tot}.". 326 + '</div>'); 327 327 328 328 $selector = new AphrontNullView(); 329 329 ··· 334 334 ($group == 'none' || $group == 'priority'); 335 335 336 336 $lists = new AphrontNullView(); 337 - $lists->appendChild(hsprintf('<div class="maniphest-group-container">')); 337 + $lists->appendChild('<div class="maniphest-group-container">'); 338 338 foreach ($tasks as $group => $list) { 339 339 $task_list = new ManiphestTaskListView(); 340 340 $task_list->setShowBatchControls(true); ··· 367 367 368 368 $lists->appendChild($panel); 369 369 } 370 - $lists->appendChild(hsprintf('</div>')); 370 + $lists->appendChild('</div>'); 371 371 $selector->appendChild($lists); 372 372 373 373 374 374 $selector->appendChild($this->renderBatchEditor($query)); 375 375 376 376 $form_id = celerity_generate_unique_node_id(); 377 - $selector = phabricator_form( 377 + $selector = phabricator_render_form( 378 378 $user, 379 379 array( 380 380 'method' => 'POST', ··· 394 394 )); 395 395 } 396 396 397 - $list_container->appendChild(hsprintf('</div>')); 397 + $list_container->appendChild('</div>'); 398 398 $nav->appendChild($list_container); 399 399 400 400 $title = pht('Task List'); ··· 678 678 ), 679 679 'Export Tasks to Excel...'); 680 680 681 - return hsprintf( 681 + return 682 682 '<div class="maniphest-batch-editor">'. 683 683 '<div class="batch-editor-header">Batch Task Editor</div>'. 684 684 '<table class="maniphest-batch-editor-layout">'. 685 685 '<tr>'. 686 - '<td>%s%s</td>'. 687 - '<td>%s</td>'. 688 - '<td id="batch-select-status-cell">0 Selected Tasks</td>'. 689 - '<td class="batch-select-submit-cell">%s</td>'. 686 + '<td>'. 687 + $select_all. 688 + $select_none. 689 + '</td>'. 690 + '<td>'. 691 + $export. 692 + '</td>'. 693 + '<td id="batch-select-status-cell">'. 694 + '0 Selected Tasks'. 695 + '</td>'. 696 + '<td class="batch-select-submit-cell">'.$submit.'</td>'. 690 697 '</tr>'. 691 698 '</table>'. 692 - '</table>', 693 - $select_all, $select_none, 694 - $export, 695 - $submit); 699 + '</table>'; 696 700 } 697 701 698 702 private function buildQueryFromRequest() {

+1 -1

src/applications/maniphest/view/ManiphestTaskListView.php

··· 45 45 $views[] = $view->render(); 46 46 } 47 47 48 - return $this->renderSingleView($views); 48 + return $this->renderHTMLView($views); 49 49 } 50 50 51 51 }

+1 -1

src/applications/maniphest/view/ManiphestTaskProjectsView.php

··· 52 52 "\xE2\x80\xA6"); 53 53 } 54 54 55 - return $this->renderSingleView($tags); 55 + return $this->renderHTMLView($tags); 56 56 } 57 57 58 58 }

+9 -6

src/applications/maniphest/view/ManiphestTransactionDetailView.php

··· 179 179 } 180 180 181 181 if ($this->getRenderSummaryOnly()) { 182 - return phutil_implode_html("\n", $descs); 182 + return implode("\n", $descs); 183 183 } 184 184 185 185 if ($comment_transaction && $comment_transaction->hasComments()) { 186 186 $comment_block = $this->markupEngine->getOutput( 187 187 $comment_transaction, 188 188 ManiphestTransaction::MARKUP_FIELD_BODY); 189 - $comment_block = phutil_tag( 190 - 'div', 191 - array('class' => 'maniphest-transaction-comments phabricator-remarkup'), 192 - $comment_block); 189 + $comment_block = 190 + '<div class="maniphest-transaction-comments phabricator-remarkup">'. 191 + $comment_block. 192 + '</div>'; 193 193 } else { 194 194 $comment_block = null; 195 195 } ··· 590 590 DifferentialChangesetParser::parseRangeSpecification($spec); 591 591 $output = $parser->render($range_s, $range_e, $mask); 592 592 593 + // TODO: [HTML] DifferentialChangesetParser needs cleanup. 594 + $output = phutil_safe_html($output); 595 + 593 596 return $output; 594 597 } 595 598 ··· 624 627 $links[] = $this->handles[$phid]->renderLink(); 625 628 } 626 629 } 627 - return phutil_implode_html(', ', $links); 630 + return implode(', ', $links); 628 631 } 629 632 630 633 private function renderString($string) {

+4 -4

src/applications/maniphest/view/ManiphestTransactionListView.php

··· 102 102 $views[] = $view->render(); 103 103 } 104 104 105 - return phutil_tag( 106 - 'div', 107 - array('class' => 'maniphest-transaction-list-view'), 108 - $views); 105 + return 106 + '<div class="maniphest-transaction-list-view">'. 107 + implode("\n", $views). 108 + '</div>'; 109 109 } 110 110 111 111 }

+2 -2

src/applications/meta/view/PhabricatorApplicationLaunchView.php

··· 128 128 'href' => $application ? $application->getBaseURI() : null, 129 129 'title' => $application ? $application->getShortDescription() : null, 130 130 ), 131 - $this->renderSingleView( 131 + $this->renderHTMLView( 132 132 array( 133 133 $icon, 134 134 $content, 135 135 ))); 136 136 137 - return $this->renderSingleView( 137 + return $this->renderHTMLView( 138 138 array( 139 139 $app_button, 140 140 $create_button,

+1 -1

src/applications/metamta/controller/PhabricatorMetaMTAListController.php

··· 67 67 phabricator_datetime($mail->getDateCreated(), $user), 68 68 phabricator_format_relative_time_detailed( 69 69 time() - $mail->getDateModified()), 70 - $mail->getSubject(), 70 + phutil_escape_html($mail->getSubject()), 71 71 phutil_tag( 72 72 'a', 73 73 array(

+1 -1

src/applications/metamta/controller/PhabricatorMetaMTAReceivedListController.php

··· 38 38 $mail->getRelatedPHID() 39 39 ? $handles[$mail->getRelatedPHID()]->renderLink() 40 40 : '-', 41 - $mail->getMessage(), 41 + phutil_escape_html($mail->getMessage()), 42 42 ); 43 43 } 44 44

+10 -7

src/applications/notification/controller/PhabricatorNotificationListController.php

··· 43 43 44 44 if ($notifications) { 45 45 $builder = new PhabricatorNotificationBuilder($notifications); 46 - $view = $builder->buildView()->render(); 46 + $view = $builder->buildView(); 47 47 } else { 48 - $view = hsprintf( 49 - '<div class="phabricator-notification no-notifications">%s</div>', 50 - $no_data); 48 + $view = 49 + '<div class="phabricator-notification no-notifications">'. 50 + $no_data. 51 + '</div>'; 51 52 } 52 53 53 - $view = hsprintf( 54 - '<div class="phabricator-notification-list">%s</div>', 55 - $view); 54 + $view = array( 55 + '<div class="phabricator-notification-list">', 56 + $view, 57 + '</div>', 58 + ); 56 59 57 60 $panel = new AphrontPanelView(); 58 61 $panel->setHeader($header);

+17 -15

src/applications/notification/controller/PhabricatorNotificationPanelController.php

··· 20 20 $notifications_view = $builder->buildView(); 21 21 $content = $notifications_view->render(); 22 22 } else { 23 - $content = hsprintf( 24 - '<div class="phabricator-notification no-notifications">%s</div>', 25 - pht('You have no notifications.')); 23 + $content = 24 + '<div class="phabricator-notification no-notifications">'. 25 + 'You have no notifications.'. 26 + '</div>'; 26 27 } 27 28 28 - $content = hsprintf( 29 - '<div class="phabricator-notification-header">%s</div>'. 30 - '%s'. 31 - '<div class="phabricator-notification-view-all">%s</div>', 32 - pht('Notifications'), 33 - $content, 34 - phutil_tag( 35 - 'a', 36 - array( 37 - 'href' => '/notification/', 38 - ), 39 - 'View All Notifications')); 29 + $content = 30 + '<div class="phabricator-notification-header">'. 31 + pht('Notifications'). 32 + '</div>'. 33 + $content. 34 + '<div class="phabricator-notification-view-all">'. 35 + phutil_tag( 36 + 'a', 37 + array( 38 + 'href' => '/notification/', 39 + ), 40 + 'View All Notifications'). 41 + '</div>'; 40 42 41 43 $unread_count = id(new PhabricatorFeedStoryNotification()) 42 44 ->countUnread($user);

+5 -2

src/applications/notification/controller/PhabricatorNotificationStatusController.php

··· 45 45 46 46 $rows = array(); 47 47 foreach ($status as $key => $value) { 48 + $label = phutil_escape_html($key); 49 + 48 50 switch ($key) { 49 51 case 'uptime': 50 52 $value /= 1000; 51 53 $value = phabricator_format_relative_time_detailed($value); 52 54 break; 53 55 case 'log': 56 + $value = phutil_escape_html($value); 54 57 break; 55 58 default: 56 - $value = number_format($value); 59 + $value = phutil_escape_html(number_format($value)); 57 60 break; 58 61 } 59 62 60 - $rows[] = array($key, $value); 63 + $rows[] = array($label, $value); 61 64 } 62 65 63 66 $table = new AphrontTableView($rows);

+2 -1

src/applications/oauthserver/controller/PhabricatorOAuthServerAuthController.php

··· 143 143 144 144 // display time -- make a nice form for the user to grant the client 145 145 // access to the granularity specified by $scope 146 - $title = 'Authorize '.$client->getName().'?'; 146 + $name = phutil_escape_html($client->getName()); 147 + $title = 'Authorize ' . $name . '?'; 147 148 $panel = new AphrontPanelView(); 148 149 $panel->setWidth(AphrontPanelView::WIDTH_FORM); 149 150 $panel->setHeader($title);

+5 -3

src/applications/oauthserver/controller/client/PhabricatorOAuthClientDeleteController.php

··· 32 32 ->setURI('/oauthserver/client/?deleted=1'); 33 33 } 34 34 35 - $title .= ' '.$client->getName(); 35 + $client_name = phutil_escape_html($client->getName()); 36 + $title .= ' '.$client_name; 36 37 37 38 $dialog = new AphrontDialogView(); 38 39 $dialog->setUser($current_user); 39 40 $dialog->setTitle($title); 40 - $dialog->appendChild(phutil_tag('p', array(), pht( 41 - 'Are you sure you want to delete this client?'))); 41 + $dialog->appendChild( 42 + '<p>Are you sure you want to delete this client?</p>' 43 + ); 42 44 $dialog->addSubmitButton(); 43 45 $dialog->addCancelButton($client->getEditURI()); 44 46 return id(new AphrontDialogResponse())->setDialog($dialog);

+2

src/applications/oauthserver/controller/client/PhabricatorOAuthClientListController.php

··· 113 113 $new = $this->getRequest()->getStr('new'); 114 114 $deleted = $this->getRequest()->getBool('deleted'); 115 115 if ($edited) { 116 + $edited = phutil_escape_html($edited); 116 117 $title = 'Successfully edited client with id '.$edited.'.'; 117 118 } else if ($new) { 119 + $new = phutil_escape_html($new); 118 120 $title = 'Successfully created client with id '.$new.'.'; 119 121 } else if ($deleted) { 120 122 $title = 'Successfully deleted client.';

+6 -3

src/applications/oauthserver/controller/clientauthorization/PhabricatorOAuthClientAuthorizationDeleteController.php

··· 37 37 ->loadOneWhere('phid = %s', 38 38 $client_phid); 39 39 if ($client) { 40 - $title .= ' for '.$client->getName(); 40 + $client_name = phutil_escape_html($client->getName()); 41 + $title .= ' for '.$client_name; 41 42 } else { 42 43 // the client does not exist so token is dead already (but 43 44 // let's let the user clean this up anyway in that case) 45 + $client_name = ''; 44 46 } 45 47 46 48 $dialog = new AphrontDialogView(); 47 49 $dialog->setUser($current_user); 48 50 $dialog->setTitle($title); 49 - $dialog->appendChild(phutil_tag('p', array(), pht( 50 - 'Are you sure you want to delete this client authorization?'))); 51 + $dialog->appendChild( 52 + '<p>Are you sure you want to delete this client authorization?</p>' 53 + ); 51 54 $dialog->addSubmitButton(); 52 55 $dialog->addCancelButton($authorization->getEditURI()); 53 56 return id(new AphrontDialogResponse())->setDialog($dialog);

+1

src/applications/oauthserver/controller/clientauthorization/PhabricatorOAuthClientAuthorizationListController.php

··· 137 137 $edited = $this->getRequest()->getStr('edited'); 138 138 $deleted = $this->getRequest()->getBool('deleted'); 139 139 if ($edited) { 140 + $edited = phutil_escape_html($edited); 140 141 $title = 'Successfully edited client authorization.'; 141 142 } else if ($deleted) { 142 143 $title = 'Successfully deleted client authorization.';

+26 -18

src/applications/owners/controller/PhabricatorOwnersDetailController.php

··· 47 47 48 48 $rows = array(); 49 49 50 - $rows[] = array('Name', $package->getName()); 51 - $rows[] = array('Description', $package->getDescription()); 50 + $rows[] = array( 51 + 'Name', 52 + phutil_escape_html($package->getName())); 53 + $rows[] = array( 54 + 'Description', 55 + phutil_escape_html($package->getDescription())); 52 56 53 57 $primary_owner = null; 54 58 $primary_phid = $package->getPrimaryOwnerPHID(); 55 59 if ($primary_phid && isset($handles[$primary_phid])) { 56 - $primary_owner = phutil_tag( 57 - 'strong', 58 - array(), 59 - $handles[$primary_phid]->renderLink()); 60 + $primary_owner = 61 + '<strong>'.$handles[$primary_phid]->renderLink().'</strong>'; 60 62 } 61 - $rows[] = array('Primary Owner', $primary_owner); 63 + $rows[] = array( 64 + 'Primary Owner', 65 + $primary_owner, 66 + ); 62 67 63 68 $owner_links = array(); 64 69 foreach ($owners as $owner) { 65 70 $owner_links[] = $handles[$owner->getUserPHID()]->renderLink(); 66 71 } 67 - $owner_links = phutil_implode_html(phutil_tag('br'), $owner_links); 68 - $rows[] = array('Owners', $owner_links); 72 + $owner_links = implode('<br />', $owner_links); 73 + $rows[] = array( 74 + 'Owners', 75 + $owner_links); 69 76 70 77 $rows[] = array( 71 78 'Auditing', ··· 92 99 'href' => (string) $href, 93 100 ), 94 101 $path->getPath()); 95 - $path_links[] = hsprintf( 96 - '%s %s %s', 97 - ($path->getExcluded() ? "\xE2\x80\x93" : '+'), 98 - $repo_name, 99 - $path_link); 102 + $path_links[] = 103 + ($path->getExcluded() ? '–' : '+').' '. 104 + $repo_name.' '.$path_link; 100 105 } 101 - $path_links = phutil_implode_html(phutil_tag('br'), $path_links); 102 - $rows[] = array('Paths', $path_links); 106 + $path_links = implode('<br />', $path_links); 107 + $rows[] = array( 108 + 'Paths', 109 + $path_links); 103 110 104 111 $table = new AphrontTableView($rows); 105 112 $table->setColumnClasses( ··· 109 116 )); 110 117 111 118 $panel = new AphrontPanelView(); 112 - $panel->setHeader('Package Details for "'.$package->getName().'"'); 119 + $panel->setHeader( 120 + 'Package Details for "'.phutil_escape_html($package->getName()).'"'); 113 121 $panel->addButton( 114 122 javelin_tag( 115 123 'a', ··· 199 207 $commit_panels = array(); 200 208 foreach ($commit_views as $commit_view) { 201 209 $commit_panel = new AphrontPanelView(); 202 - $commit_panel->setHeader($commit_view['header']); 210 + $commit_panel->setHeader(phutil_escape_html($commit_view['header'])); 203 211 if (isset($commit_view['button'])) { 204 212 $commit_panel->addButton($commit_view['button']); 205 213 }

+8 -9

src/applications/owners/controller/PhabricatorOwnersListController.php

··· 235 235 foreach ($pkg_owners as $key => $owner) { 236 236 $pkg_owners[$key] = $handles[$owner->getUserPHID()]->renderLink(); 237 237 if ($owner->getUserPHID() == $package->getPrimaryOwnerPHID()) { 238 - $pkg_owners[$key] = phutil_tag('strong', array(), $pkg_owners[$key]); 238 + $pkg_owners[$key] = '<strong>'.$pkg_owners[$key].'</strong>'; 239 239 } 240 240 } 241 - $pkg_owners = phutil_implode_html(phutil_tag('br'), $pkg_owners); 241 + $pkg_owners = implode('<br />', $pkg_owners); 242 242 243 243 $pkg_paths = idx($paths, $package->getID(), array()); 244 244 foreach ($pkg_paths as $key => $path) { ··· 251 251 'path' => $path->getPath(), 252 252 'action' => 'browse', 253 253 )); 254 - $pkg_paths[$key] = hsprintf( 255 - '%s %s%s', 256 - ($path->getExcluded() ? "\xE2\x80\x93" : '+'), 257 - phutil_tag('strong', array(), $repo->getName()), 254 + $pkg_paths[$key] = 255 + ($path->getExcluded() ? '–' : '+').' '. 256 + phutil_tag('strong', array(), $repo->getName()). 258 257 phutil_tag( 259 258 'a', 260 259 array( 261 260 'href' => (string) $href, 262 261 ), 263 - $path->getPath())); 262 + $path->getPath()); 264 263 } else { 265 - $pkg_paths[$key] = $path->getPath(); 264 + $pkg_paths[$key] = phutil_escape_html($path->getPath()); 266 265 } 267 266 } 268 - $pkg_paths = phutil_implode_html(phutil_tag('br'), $pkg_paths); 267 + $pkg_paths = implode('<br />', $pkg_paths); 269 268 270 269 $rows[] = array( 271 270 phutil_tag(

+1 -1

src/applications/paste/controller/PhabricatorPasteListController.php

··· 109 109 $lang_name = $paste->getLanguage(); 110 110 if ($lang_name) { 111 111 $lang_name = idx($lang_map, $lang_name, $lang_name); 112 - $item->addIcon('none', $lang_name); 112 + $item->addIcon('none', phutil_escape_html($lang_name)); 113 113 } 114 114 115 115 $list->addItem($item);

+28 -23

src/applications/people/controller/PhabricatorPeopleLdapController.php

··· 153 153 154 154 private function renderUserInputs($user) { 155 155 $username = $user[0]; 156 - return hsprintf( 157 - '%s%s%s', 158 - phutil_tag( 159 - 'input', 160 - array( 161 - 'type' => 'checkbox', 162 - 'name' => 'usernames[]', 163 - 'value' => $username, 164 - )), 165 - phutil_tag( 166 - 'input', 167 - array( 168 - 'type' => 'hidden', 169 - 'name' => "email[$username]", 170 - 'value' => $user[1], 171 - )), 172 - phutil_tag( 173 - 'input', 174 - array( 175 - 'type' => 'hidden', 176 - 'name' => "name[$username]", 177 - 'value' => $user[2], 178 - ))); 156 + $inputs = phutil_tag( 157 + 'input', 158 + array( 159 + 'type' => 'checkbox', 160 + 'name' => 'usernames[]', 161 + 'value' =>$username, 162 + ), 163 + ''); 164 + 165 + $inputs .= phutil_tag( 166 + 'input', 167 + array( 168 + 'type' => 'hidden', 169 + 'name' => "email[$username]", 170 + 'value' =>$user[1], 171 + ), 172 + ''); 173 + 174 + $inputs .= phutil_tag( 175 + 'input', 176 + array( 177 + 'type' => 'hidden', 178 + 'name' => "name[$username]", 179 + 'value' =>$user[2], 180 + ), 181 + ''); 182 + 183 + return $inputs; 179 184 } 180 185 181 186 }

+1 -1

src/applications/people/controller/PhabricatorPeopleListController.php

··· 55 55 'href' => '/p/'.$user->getUsername().'/', 56 56 ), 57 57 $user->getUserName()), 58 - $user->getRealName(), 58 + phutil_escape_html($user->getRealName()), 59 59 $status, 60 60 $email, 61 61 phutil_tag(

+4 -2

src/applications/people/controller/PhabricatorPeopleLogsController.php

··· 157 157 phabricator_date($log->getDateCreated(),$user), 158 158 phabricator_time($log->getDateCreated(),$user), 159 159 $log->getAction(), 160 - $log->getActorPHID() ? $handles[$log->getActorPHID()]->getName() : null, 161 - $handles[$log->getUserPHID()]->getName(), 160 + $log->getActorPHID() 161 + ? phutil_escape_html($handles[$log->getActorPHID()]->getName()) 162 + : null, 163 + phutil_escape_html($handles[$log->getUserPHID()]->getName()), 162 164 json_encode($log->getOldValue(), true), 163 165 json_encode($log->getNewValue(), true), 164 166 phutil_tag(

+10 -7

src/applications/people/controller/PhabricatorPeopleProfileController.php

··· 142 142 143 143 $nav->appendChild($header); 144 144 145 - $content = hsprintf('<div style="padding: 1em;">%s</div>', $content); 145 + $content = '<div style="padding: 1em;">'.$content.'</div>'; 146 146 $header->appendChild($content); 147 147 148 148 if ($user->getPHID() == $viewer->getPHID()) { ··· 172 172 173 173 $blurb = nonempty( 174 174 $profile->getBlurb(), 175 - '//'.pht('Nothing is known about this rare specimen.').'//' 175 + '//'. 176 + pht('Nothing is known about this rare specimen.') 177 + .'//' 176 178 ); 177 179 178 180 $engine = PhabricatorMarkupEngine::newProfileMarkupEngine(); 179 - $blurb = $engine->markupText($blurb); 181 + $blurb = phutil_safe_html($engine->markupText($blurb)); 180 182 181 183 $viewer = $this->getRequest()->getUser(); 182 184 ··· 230 232 $builder->setUser($viewer); 231 233 $view = $builder->buildView(); 232 234 233 - return hsprintf( 235 + return 234 236 '<div class="phabricator-profile-info-group"> 235 237 <h1 class="phabricator-profile-info-header">Activity Feed</h1> 236 - <div class="phabricator-profile-info-pane">%s</div> 237 - </div>', 238 - $view->render()); 238 + <div class="phabricator-profile-info-pane"> 239 + '.$view->render().' 240 + </div> 241 + </div>'; 239 242 } 240 243 }

+1 -1

src/applications/phame/controller/blog/PhameBlogDeleteController.php

··· 41 41 ->appendChild( 42 42 pht( 43 43 'Really delete the blog "%s"? It will be gone forever.', 44 - $blog->getName())) 44 + phutil_escape_html($blog->getName()))) 45 45 ->addSubmitButton(pht('Delete')) 46 46 ->addCancelButton($cancel_uri); 47 47

+1 -1

src/applications/phame/controller/post/PhamePostDeleteController.php

··· 41 41 ->appendChild( 42 42 pht( 43 43 'Really delete the post "%s"? It will be gone forever.', 44 - $post->getTitle())) 44 + phutil_escape_html($post->getTitle()))) 45 45 ->addSubmitButton(pht('Delete')) 46 46 ->addCancelButton($cancel_uri); 47 47

+2 -2

src/applications/phame/controller/post/PhamePostEditController.php

··· 148 148 ->setValue($submit_button) 149 149 ); 150 150 151 - $preview_panel = hsprintf( 151 + $preview_panel = 152 152 '<div class="aphront-panel-preview"> 153 153 <div class="phame-post-preview-header"> 154 154 Post Preview ··· 158 158 Loading preview... 159 159 </div> 160 160 </div> 161 - </div>'); 161 + </div>'; 162 162 163 163 require_celerity_resource('phame-css'); 164 164 Javelin::initBehavior(

+6 -6

src/applications/phame/controller/post/PhamePostNotLiveController.php

··· 25 25 26 26 $reasons = array(); 27 27 if (!$post->getBlog()) { 28 - $reasons[] = phutil_tag('p', array(), pht( 29 - 'You can not view the live version of this post because it '. 28 + $reasons[] = 29 + '<p>'.pht('You can not view the live version of this post because it '. 30 30 'is not associated with a blog. Move the post to a blog in order to '. 31 - 'view it live.')); 31 + 'view it live.').'</p>'; 32 32 } 33 33 34 34 if ($post->isDraft()) { 35 - $reasons[] = phutil_tag('p', array(), pht( 36 - 'You can not view the live version of this post because it '. 37 - 'is still a draft. Use "Preview/Publish" to publish the post.')); 35 + $reasons[] = 36 + '<p>'.pht('You can not view the live version of this post because it '. 37 + 'is still a draft. Use "Preview/Publish" to publish the post.').'</p>'; 38 38 } 39 39 40 40 if ($reasons) {

+1 -1

src/applications/phame/controller/post/PhamePostPreviewController.php

··· 23 23 PhamePost::MARKUP_FIELD_BODY, 24 24 $user); 25 25 26 - $content = hsprintf('<div class="phabricator-remarkup">%s</div>', $content); 26 + $content = '<div class="phabricator-remarkup">'.$content.'</div>'; 27 27 28 28 return id(new AphrontAjaxResponse())->setContent($content); 29 29 }

+1 -1

src/applications/phame/controller/post/PhamePostUnpublishController.php

··· 45 45 pht( 46 46 'The post "%s" will no longer be visible to other users until you '. 47 47 'republish it.', 48 - $post->getTitle())) 48 + phutil_escape_html($post->getTitle()))) 49 49 ->addSubmitButton(pht('Unpublish')) 50 50 ->addCancelButton($cancel_uri); 51 51

+1 -1

src/applications/phame/skins/PhameBasicBlogSkin.php

··· 123 123 } 124 124 125 125 protected function render404Page() { 126 - return hsprintf('<h2>404 Not Found</h2>'); 126 + return '<h2>404 Not Found</h2>'; 127 127 } 128 128 129 129 final public function getResourceURI($resource) {

+2 -2

src/applications/phame/skins/PhameBasicTemplateBlogSkin.php

··· 26 26 'href' => $this->getResourceURI('css/'.$path), 27 27 )); 28 28 } 29 - $this->cssResources = phutil_implode_html("\n", $this->cssResources); 29 + $this->cssResources = implode("\n", $this->cssResources); 30 30 } 31 31 32 32 $request = $this->getRequest(); ··· 43 43 ); 44 44 45 45 $response = new AphrontWebpageResponse(); 46 - $response->setContent(phutil_implode_html("\n", $content)); 46 + $response->setContent(implode("\n", $content)); 47 47 48 48 return $response; 49 49 }

+3 -3

src/applications/phid/controller/PhabricatorPHIDLookupController.php

··· 24 24 } 25 25 26 26 $rows[] = array( 27 - $handle->getPHID(), 28 - $handle->getType(), 29 - $handle->getName(), 27 + phutil_escape_html($handle->getPHID()), 28 + phutil_escape_html($handle->getType()), 29 + phutil_escape_html($handle->getName()), 30 30 $link, 31 31 ); 32 32 }

+1 -1

src/applications/pholio/controller/PholioMockViewController.php

··· 145 145 foreach ($subscribers as $subscriber) { 146 146 $sub_view[] = $this->getHandle($subscriber)->renderLink(); 147 147 } 148 - $sub_view = phutil_implode_html(', ', $sub_view); 148 + $sub_view = array_interleave(', ', $sub_view); 149 149 } else { 150 150 $sub_view = phutil_tag('em', array(), pht('None')); 151 151 }

+3 -3

src/applications/pholio/storage/PholioTransaction.php

··· 44 44 return pht( 45 45 '%s renamed this mock from "%s" to "%s".', 46 46 $this->renderHandleLink($author_phid), 47 - $old, 48 - $new); 47 + phutil_escape_html($old), 48 + phutil_escape_html($new)); 49 49 break; 50 50 case PholioTransactionType::TYPE_DESCRIPTION: 51 51 return pht( 52 52 '%s updated the description of this mock. '. 53 53 'The old description was: %s', 54 54 $this->renderHandleLink($author_phid), 55 - $old); 55 + phutil_escape_html($old)); 56 56 } 57 57 58 58 return parent::getTitle();

+1 -1

src/applications/pholio/view/PholioMockImagesView.php

··· 91 91 $thumbnails); 92 92 } 93 93 94 - return $this->renderSingleView($mockview); 94 + return $this->renderHTMLView($mockview); 95 95 } 96 96 }

+6 -9

src/applications/phpast/controller/PhabricatorXHPASTViewFramesetController.php

··· 14 14 15 15 $response = new AphrontWebpageResponse(); 16 16 $response->setFrameable(true); 17 - $response->setContent(hsprintf( 18 - '<frameset cols="33%%, 34%%, 33%%">'. 19 - '<frame src="/xhpast/input/%s/" />'. 20 - '<frame src="/xhpast/tree/%s/" />'. 21 - '<frame src="/xhpast/stream/%s/" />'. 22 - '</frameset>', 23 - $id, 24 - $id, 25 - $id)); 17 + $response->setContent( 18 + '<frameset cols="33%, 34%, 33%">'. 19 + '<frame src="/xhpast/input/'.$id.'/" />'. 20 + '<frame src="/xhpast/tree/'.$id.'/" />'. 21 + '<frame src="/xhpast/stream/'.$id.'/" />'. 22 + '</frameset>'); 26 23 27 24 return $response; 28 25 }

+2 -1

src/applications/phpast/controller/PhabricatorXHPASTViewInputController.php

··· 5 5 6 6 public function processRequest() { 7 7 $input = $this->getStorageTree()->getInput(); 8 - return $this->buildXHPASTViewPanelResponse($input); 8 + return $this->buildXHPASTViewPanelResponse( 9 + phutil_escape_html($input)); 9 10 } 10 11 }

+5 -4

src/applications/phpast/controller/PhabricatorXHPASTViewPanelController.php

··· 20 20 } 21 21 22 22 protected function buildXHPASTViewPanelResponse($content) { 23 - $content = hsprintf( 23 + $content = 24 24 '<!DOCTYPE html>'. 25 25 '<html>'. 26 26 '<head>'. ··· 57 57 58 58 </style>'. 59 59 '</head>'. 60 - '<body>%s</body>'. 61 - '</html>', 62 - $content); 60 + '<body>'. 61 + $content. 62 + '</body>'. 63 + '</html>'; 63 64 64 65 $response = new AphrontWebpageResponse(); 65 66 $response->setFrameable(true);

+1 -2

src/applications/phpast/controller/PhabricatorXHPASTViewStreamController.php

··· 27 27 $token->getValue()); 28 28 } 29 29 30 - return $this->buildXHPASTViewPanelResponse( 31 - phutil_implode_html('', $tokens)); 30 + return $this->buildXHPASTViewPanelResponse(implode('', $tokens)); 32 31 } 33 32 }

+12 -12

src/applications/phpast/controller/PhabricatorXHPASTViewTreeController.php

··· 12 12 $input, 13 13 array(0, $stdout, '')); 14 14 15 - $tree = phutil_tag('ul', array(), $this->buildTree($tree->getRootNode())); 15 + $tree = '<ul>'.$this->buildTree($tree->getRootNode()).'</ul>'; 16 16 return $this->buildXHPASTViewPanelResponse($tree); 17 17 } 18 18 ··· 27 27 } 28 28 29 29 $tree = array(); 30 - $tree[] = phutil_tag( 31 - 'li', 32 - array(), 33 - phutil_tag( 34 - 'span', 35 - array( 36 - 'title' => $title, 37 - ), 38 - $name)); 30 + $tree[] = 31 + '<li>'. 32 + phutil_tag( 33 + 'span', 34 + array( 35 + 'title' => $title, 36 + ), 37 + $name). 38 + '</li>'; 39 39 foreach ($root->getChildren() as $child) { 40 - $tree[] = phutil_tag('ul', array(), $this->buildTree($child)); 40 + $tree[] = '<ul>'.$this->buildTree($child).'</ul>'; 41 41 } 42 - return phutil_implode_html("\n", $tree); 42 + return implode("\n", $tree); 43 43 } 44 44 45 45 }

+14 -18

src/applications/phriction/controller/PhrictionDiffController.php

··· 155 155 $link_r = pht('Most Recent Change'); 156 156 } 157 157 158 - $navigation_table = hsprintf( 158 + $navigation_table = 159 159 '<table class="phriction-history-nav-table"> 160 160 <tr> 161 - <td class="nav-prev">%s</td> 162 - <td class="nav-next">%s</td> 161 + <td class="nav-prev">'.$link_l.'</td> 162 + <td class="nav-next">'.$link_r.'</td> 163 163 </tr> 164 - </table>', 165 - $link_l, 166 - $link_r); 164 + </table>'; 167 165 } 168 166 169 167 170 168 171 - $output = hsprintf( 169 + $output = 172 170 '<div class="phriction-document-history-diff">'. 173 - '%s<br /><br />%s'. 171 + $comparison_table->render(). 172 + '<br />'. 173 + '<br />'. 174 + $navigation_table. 174 175 '<table class="phriction-revert-table">'. 175 - '<tr><td>%s</td><td>%s</td>'. 176 + '<tr><td>'.$revert_l.'</td><td>'.$revert_r.'</td>'. 176 177 '</table>'. 177 - '%s'. 178 - '</div>', 179 - $comparison_table->render(), 180 - $navigation_table, 181 - $revert_l, 182 - $revert_r, 183 - $output); 178 + $output. 179 + '</div>'; 184 180 185 181 return $this->buildStandardPageResponse( 186 182 array( ··· 238 234 $rows[] = array( 239 235 phabricator_date($c->getDateCreated(), $user), 240 236 phabricator_time($c->getDateCreated(), $user), 241 - 'Version '.$c->getVersion(), 237 + phutil_escape_html('Version '.$c->getVersion()), 242 238 $handles[$c->getAuthorPHID()]->renderLink(), 243 - $c->getDescription(), 239 + phutil_escape_html($c->getDescription()), 244 240 ); 245 241 } 246 242

+40 -36

src/applications/phriction/controller/PhrictionDocumentController.php

··· 110 110 111 111 $project_info = null; 112 112 if ($project_phid) { 113 - $project_info = hsprintf( 114 - '<br />This document is about the project %s.', 115 - $handles[$project_phid]->renderLink()); 113 + $project_info = 114 + '<br />This document is about the project '. 115 + $handles[$project_phid]->renderLink().'.'; 116 116 } 117 117 118 118 $index_link = phutil_tag( ··· 122 122 ), 123 123 pht('Document Index')); 124 124 125 - $byline = hsprintf( 126 - '<div class="phriction-byline">Last updated %s by %s.%s</div>', 127 - $when, 128 - $handles[$content->getAuthorPHID()]->renderLink(), 129 - $project_info); 125 + $byline = 126 + '<div class="phriction-byline">'. 127 + "Last updated {$when} by ". 128 + $handles[$content->getAuthorPHID()]->renderLink().'.'. 129 + $project_info. 130 + '</div>'; 130 131 131 132 132 133 $doc_status = $document->getStatus(); ··· 144 145 throw new Exception("Unknown document status '{$doc_status}'!"); 145 146 } 146 147 147 - $page_content = hsprintf( 148 - '<div class="phriction-content">%s%s%s</div>', 149 - $index_link, 150 - $byline, 151 - $core_content); 148 + $page_content = 149 + '<div class="phriction-content">'. 150 + $index_link. 151 + $byline. 152 + $core_content. 153 + '</div>'; 152 154 } 153 155 154 156 if ($version_note) { 155 157 $version_note = $version_note->render(); 156 158 } 157 159 158 - $children = $this->renderDocumentChildren($slug); 160 + $children = $this->renderChildren($slug); 159 161 160 162 $crumbs = $this->buildApplicationCrumbs(); 161 163 $crumb_views = $this->renderBreadcrumbs($slug); ··· 167 169 168 170 $header = id(new PhabricatorHeaderView()) 169 171 ->setHeader($page_title); 172 + 173 + $page = 174 + $crumbs->render(). 175 + $header->render(). 176 + $actions->render(). 177 + $version_note. 178 + $page_content. 179 + $children; 170 180 171 181 return $this->buildApplicationPage( 172 182 array( 173 - $crumbs->render(), 174 - $header->render(), 175 - $actions->render(), 176 - $version_note, 177 - $page_content, 178 - $children, 183 + $page, 179 184 ), 180 185 array( 181 186 'title' => $page_title, ··· 220 225 ->setHref(PhrictionDocument::getSlugURI($slug, 'history'))); 221 226 } 222 227 223 - private function renderDocumentChildren($slug) { 228 + private function renderChildren($slug) { 224 229 $document_dao = new PhrictionDocument(); 225 230 $content_dao = new PhrictionContent(); 226 231 $conn = $document_dao->establishConnection('r'); ··· 304 309 $children = isort($children, 'title'); 305 310 306 311 $list = array(); 312 + $list[] = '<ul>'; 307 313 foreach ($children as $child) { 308 - $list[] = hsprintf('<li>'); 309 314 $list[] = $this->renderChildDocumentLink($child); 310 315 $grand = idx($grandchildren, $child['slug'], array()); 311 316 if ($grand) { 312 - $list[] = hsprintf('<ul>'); 317 + $list[] = '<ul>'; 313 318 foreach ($grand as $grandchild) { 314 - $list[] = hsprintf('<li>'); 315 319 $list[] = $this->renderChildDocumentLink($grandchild); 316 - $list[] = hsprintf('</li>'); 317 320 } 318 - $list[] = hsprintf('</ul>'); 321 + $list[] = '</ul>'; 319 322 } 320 - $list[] = hsprintf('</li>'); 321 323 } 322 324 if ($more_children) { 323 - $list[] = phutil_tag('li', array(), pht('More...')); 325 + $list[] = '<li>'.pht('More...').'</li>'; 324 326 } 327 + $list[] = '</ul>'; 328 + $list = implode("\n", $list); 325 329 326 - return hsprintf( 330 + return 327 331 '<div class="phriction-children">'. 328 - '<div class="phriction-children-header">%s</div>'. 329 - '%s'. 330 - '</div>', 331 - pht('Document Hierarchy'), 332 - phutil_tag('ul', array(), $list)); 332 + '<div class="phriction-children-header">'. 333 + pht('Document Hierarchy'). 334 + '</div>'. 335 + $list. 336 + '</div>'; 333 337 } 334 338 335 339 private function renderChildDocumentLink(array $info) { ··· 342 346 $title); 343 347 344 348 if (isset($info['empty'])) { 345 - $item = phutil_tag('em', array(), $item); 349 + $item = '<em>'.$item.'</em>'; 346 350 } 347 351 348 - return $item; 352 + return '<li>'.$item.'</li>'; 349 353 } 350 354 351 355 }

+12 -10

src/applications/phriction/controller/PhrictionEditController.php

··· 108 108 $dialog = new AphrontDialogView(); 109 109 $dialog->setUser($user); 110 110 $dialog->setTitle(pht('No Edits')); 111 - $dialog->appendChild(phutil_tag('p', array(), pht( 112 - 'You did not make any changes to the document.'))); 111 + $dialog->appendChild( 112 + '<p>'.pht('You did not make any changes to the document.').'</p>'); 113 113 $dialog->addCancelButton($request->getRequestURI()); 114 114 115 115 return id(new AphrontDialogResponse())->setDialog($dialog); ··· 122 122 $dialog = new AphrontDialogView(); 123 123 $dialog->setUser($user); 124 124 $dialog->setTitle(pht('Empty Page')); 125 - $dialog->appendChild(phutil_tag('p', array(), pht( 126 - 'You can not create an empty document.'))); 125 + $dialog->appendChild( 126 + '<p>'.pht('You can not create an empty document.').'</p>'); 127 127 $dialog->addCancelButton($request->getRequestURI()); 128 128 129 129 return id(new AphrontDialogResponse())->setDialog($dialog); ··· 231 231 ->setHeader($panel_header) 232 232 ->appendChild($form); 233 233 234 - $preview_panel = hsprintf( 234 + $preview_panel = 235 235 '<div class="aphront-panel-preview aphront-panel-preview-wide"> 236 - <div class="phriction-document-preview-header">%s</div> 236 + <div class="phriction-document-preview-header"> 237 + '.pht('Document Preview').' 238 + </div> 237 239 <div id="document-preview"> 238 - <div class="aphront-panel-preview-loading-text">%s</div> 240 + <div class="aphront-panel-preview-loading-text"> 241 + '.pht('Loading preview...').' 242 + </div> 239 243 </div> 240 - </div>', 241 - pht('Document Preview'), 242 - pht('Loading preview...')); 244 + </div>'; 243 245 244 246 Javelin::initBehavior( 245 247 'phriction-document-preview',

+3 -3

src/applications/phriction/controller/PhrictionHistoryController.php

··· 49 49 50 50 $diff_uri = new PhutilURI('/phriction/diff/'.$document->getID().'/'); 51 51 52 - $vs_previous = phutil_tag('em', array(), pht('Created')); 52 + $vs_previous = '<em>'.pht('Created').'</em>'; 53 53 if ($content->getVersion() != 1) { 54 54 $uri = $diff_uri 55 55 ->alter('l', $content->getVersion() - 1) ··· 62 62 pht('Show Change')); 63 63 } 64 64 65 - $vs_head = phutil_tag('em', array(), pht('Current')); 65 + $vs_head = '<em>'.pht('Current').'</em>'; 66 66 if ($content->getID() != $document->getContentID()) { 67 67 $uri = $diff_uri 68 68 ->alter('l', $content->getVersion()) ··· 90 90 pht('Version %s', $version)), 91 91 $handles[$content->getAuthorPHID()]->renderLink(), 92 92 $change_type, 93 - $content->getDescription(), 93 + phutil_escape_html($content->getDescription()), 94 94 $vs_previous, 95 95 $vs_head, 96 96 );

+11 -10

src/applications/phriction/storage/PhrictionContent.php

··· 75 75 $engine); 76 76 77 77 if ($toc) { 78 - $toc = hsprintf( 78 + $toc = 79 79 '<div class="phabricator-remarkup-toc">'. 80 - '<div class="phabricator-remarkup-toc-header">%s</div>'. 81 - '%s'. 82 - '</div>', 83 - pht('Table of Contents'), 84 - $toc); 80 + '<div class="phabricator-remarkup-toc-header">'. 81 + pht('Table of Contents'). 82 + '</div>'. 83 + $toc. 84 + '</div>'; 85 85 } 86 86 87 - return hsprintf( 88 - '<div class="phabricator-remarkup">%s%s</div>', 89 - $toc, 90 - $output); 87 + return 88 + '<div class="phabricator-remarkup">'. 89 + $toc. 90 + $output. 91 + '</div>'; 91 92 } 92 93 93 94

+1 -1

src/applications/policy/filter/PhabricatorPolicy.php

··· 84 84 ), 85 85 $this->getName()); 86 86 } else { 87 - $desc = $this->getName(); 87 + $desc = phutil_escape_html($this->getName()); 88 88 } 89 89 90 90 switch ($this->getType()) {

+1 -2

src/applications/ponder/controller/PonderAnswerSaveController.php

··· 23 23 $dialog = new AphrontDialogView(); 24 24 $dialog->setUser($request->getUser()); 25 25 $dialog->setTitle('Empty answer'); 26 - $dialog->appendChild(phutil_tag('p', array(), pht( 27 - 'Your answer must not be empty.'))); 26 + $dialog->appendChild('<p>Your answer must not be empty.</p>'); 28 27 $dialog->addCancelButton('/Q'.$question_id); 29 28 30 29 return id(new AphrontDialogResponse())->setDialog($dialog);

+1 -2

src/applications/ponder/controller/PonderCommentSaveController.php

··· 32 32 $dialog = new AphrontDialogView(); 33 33 $dialog->setUser($request->getUser()); 34 34 $dialog->setTitle('Empty comment'); 35 - $dialog->appendChild(phutil_tag('p', array(), pht( 36 - 'Your comment must not be empty.'))); 35 + $dialog->appendChild('<p>Your comment must not be empty.</p>'); 37 36 $dialog->addCancelButton('/Q'.$question_id); 38 37 39 38 return id(new AphrontDialogResponse())->setDialog($dialog);

+5 -4

src/applications/ponder/controller/PonderQuestionAskController.php

··· 74 74 id(new AphrontFormSubmitControl()) 75 75 ->setValue('Ask Away!')); 76 76 77 - $preview = hsprintf( 77 + $preview = 78 78 '<div class="aphront-panel-flush">'. 79 79 '<div id="question-preview">'. 80 - '<span class="aphront-panel-preview-loading-text">%s</span>'. 80 + '<span class="aphront-panel-preview-loading-text">'. 81 + pht('Loading question preview...'). 82 + '</span>'. 81 83 '</div>'. 82 - '</div>', 83 - pht('Loading question preview...')); 84 + '</div>'; 84 85 85 86 Javelin::initBehavior( 86 87 'ponder-feedback-preview',

+2 -2

src/applications/ponder/view/PonderAddAnswerView.php

··· 44 44 id(new AphrontFormSubmitControl()) 45 45 ->setValue($is_serious ? 'Submit' : 'Make it so')); 46 46 47 - $preview = hsprintf( 47 + $preview = 48 48 '<div class="aphront-panel-flush">'. 49 49 '<div id="answer-preview">'. 50 50 '<span class="aphront-panel-preview-loading-text">'. 51 51 'Loading answer preview...'. 52 52 '</span>'. 53 53 '</div>'. 54 - '</div>'); 54 + '</div>'; 55 55 56 56 Javelin::initBehavior( 57 57 'ponder-feedback-preview',

+1 -2

src/applications/ponder/view/PonderAnswerListView.php

··· 70 70 71 71 $panel->appendChild($view); 72 72 $panel->appendChild($commentview); 73 - $panel->appendChild( 74 - hsprintf('<div style="height: 40px; clear : both"></div>')); 73 + $panel->appendChild('<div style="height: 40px; clear : both"></div>'); 75 74 76 75 } 77 76

+1 -1

src/applications/ponder/view/PonderPostBodyView.php

··· 64 64 $content); 65 65 66 66 $author = $this->handles[$target->getAuthorPHID()]; 67 - $actions = array(hsprintf('%s %s', $author->renderLink(), $this->action)); 67 + $actions = array($author->renderLink().' '.$this->action); 68 68 $author_link = $author->renderLink(); 69 69 $xaction_view = id(new PhabricatorTransactionView()) 70 70 ->setUser($user)

+25 -20

src/applications/ponder/view/PonderQuestionSummaryView.php

··· 43 43 '</div>', 44 44 $question->getAnswerCount()); 45 45 46 - $title = hsprintf('<h2 class="ponder-question-title">%s</h2>', 47 - phutil_tag( 48 - 'a', 49 - array( 50 - "href" => '/Q' . $question->getID(), 51 - ), 52 - 'Q' . $question->getID() . 53 - ' ' . $question->getTitle() 54 - )); 46 + $title = 47 + '<h2 class="ponder-question-title">'. 48 + phutil_tag( 49 + 'a', 50 + array( 51 + "href" => '/Q' . $question->getID(), 52 + ), 53 + 'Q' . $question->getID() . 54 + ' ' . $question->getTitle() 55 + ) . 56 + '</h2>'; 55 57 56 - $rhs = hsprintf( 58 + $rhs = 57 59 '<div class="ponder-metadata">'. 58 - '%s <span class="ponder-small-metadata">asked on %s by %s</span>'. 59 - '</div>', 60 - $title, 61 - phabricator_datetime($question->getDateCreated(), $user), 62 - $authorlink); 60 + $title. 61 + '<span class="ponder-small-metadata">'. 62 + 'asked on '. 63 + phabricator_datetime($question->getDateCreated(), $user). 64 + ' by ' . $authorlink. 65 + '</span>'. 66 + '</div>'; 63 67 64 - $summary = hsprintf( 65 - '<div class="ponder-question-summary">%s%s%s</div>', 66 - $votecount, 67 - $answercount, 68 - $rhs); 68 + $summary = 69 + '<div class="ponder-question-summary">'. 70 + $votecount. 71 + $answercount. 72 + $rhs. 73 + '</div>'; 69 74 70 75 71 76 return $summary;

+2 -2

src/applications/ponder/view/PonderVotableView.php

··· 63 63 ), 64 64 $this->count); 65 65 66 - return javelin_tag( 66 + return javelin_render_tag( 67 67 'div', 68 68 array( 69 69 'class' => 'ponder-votable', ··· 80 80 'class' => 'ponder-votebox', 81 81 ), 82 82 array($up, $count, $down)), 83 - phutil_tag( 83 + phutil_render_tag( 84 84 'div', 85 85 array( 86 86 'class' => 'ponder-votebox-content',

+4 -3

src/applications/project/controller/PhabricatorProjectListController.php

··· 97 97 'href' => '/project/view/'.$project->getID().'/', 98 98 ), 99 99 $project->getName()), 100 - PhabricatorProjectStatus::getNameForStatus($project->getStatus()), 101 - $blurb, 102 - $population, 100 + phutil_escape_html( 101 + PhabricatorProjectStatus::getNameForStatus($project->getStatus())), 102 + phutil_escape_html($blurb), 103 + phutil_escape_html($population), 103 104 phutil_tag( 104 105 'a', 105 106 array(

+1 -1

src/applications/project/controller/PhabricatorProjectMembersEditController.php

··· 113 113 $panel->setWidth(AphrontPanelView::WIDTH_FORM); 114 114 $panel->setNoBackground(); 115 115 $panel->appendChild($form); 116 - $panel->appendChild(phutil_tag('br')); 116 + $panel->appendChild('<br />'); 117 117 $panel->appendChild($faux_form); 118 118 119 119 $nav = $this->buildLocalNavigation($project);

+33 -28

src/applications/project/controller/PhabricatorProjectProfileController.php

··· 55 55 $query->setViewer($this->getRequest()->getUser()); 56 56 $stories = $query->execute(); 57 57 58 - $content = hsprintf('%s%s', $content, $this->renderStories($stories)); 58 + $content .= $this->renderStories($stories); 59 59 break; 60 60 case 'about': 61 61 $content = $this->renderAboutPage($project, $profile); ··· 114 114 115 115 $nav_view->appendChild($header); 116 116 117 - $content = hsprintf('<div style="padding: 1em;">%s</div>', $content); 117 + $content = '<div style="padding: 1em;">'.$content.'</div>'; 118 118 $header->appendChild($content); 119 119 120 120 return $this->buildApplicationPage( ··· 183 183 184 184 $affiliated = array(); 185 185 foreach ($handles as $phids => $handle) { 186 - $affiliated[] = phutil_tag('li', array(), $handle->renderLink()); 186 + $affiliated[] = '<li>'.$handle->renderLink().'</li>'; 187 187 } 188 188 189 189 if ($affiliated) { 190 - $affiliated = phutil_tag('ul', array(), $affiliated); 190 + $affiliated = '<ul>'.implode("\n", $affiliated).'</ul>'; 191 191 } else { 192 - $affiliated = hsprintf('<p><em>%s</em></p>', pht( 193 - 'No one is affiliated with this project.')); 192 + $affiliated = 193 + '<p><em>'. 194 + pht('No one is affiliated with this project.'). 195 + '</em></p>'; 194 196 } 195 197 196 - return hsprintf( 198 + return 197 199 '<div class="phabricator-profile-info-group">'. 198 - '<h1 class="phabricator-profile-info-header">%s</h1>'. 199 - '<div class="phabricator-profile-info-pane">%s</div>'. 200 - '</div>', 201 - pht('People'), 202 - $affiliated); 200 + '<h1 class="phabricator-profile-info-header">'.pht('People').'</h1>'. 201 + '<div class="phabricator-profile-info-pane">'. 202 + $affiliated. 203 + '</div>'. 204 + '</div>'; 203 205 } 204 206 205 207 private function renderFeedPage( ··· 226 228 $builder->setUser($this->getRequest()->getUser()); 227 229 $view = $builder->buildView(); 228 230 229 - return hsprintf( 231 + return 230 232 '<div class="phabricator-profile-info-group">'. 231 - '<h1 class="phabricator-profile-info-header">%s</h1>'. 232 - '<div class="phabricator-profile-info-pane">%s</div>'. 233 - '</div>', 234 - pht('Activity Feed'), 235 - $view->render()); 233 + '<h1 class="phabricator-profile-info-header">'. 234 + pht('Activity Feed'). 235 + '</h1>'. 236 + '<div class="phabricator-profile-info-pane">'. 237 + $view->render(). 238 + '</div>'. 239 + '</div>'; 236 240 } 237 241 238 242 ··· 263 267 } 264 268 265 269 if (empty($tasks)) { 266 - $task_views = phutil_tag('em', array(), pht('No open tasks.')); 270 + $task_views = '<em>'.pht('No open tasks.').'</em>'; 267 271 } else { 268 - $task_views = phutil_implode_html('', $task_views); 272 + $task_views = implode('', $task_views); 269 273 } 270 274 271 275 $open = number_format($count); ··· 277 281 ), 278 282 pht("View All Open Tasks \xC2\xBB")); 279 283 280 - $content = hsprintf( 284 + $content = 281 285 '<div class="phabricator-profile-info-group"> 282 - <h1 class="phabricator-profile-info-header">%s</h1>'. 286 + <h1 class="phabricator-profile-info-header">'. 287 + pht("Open Tasks (%d)", $open). 288 + '</h1>'. 283 289 '<div class="phabricator-profile-info-pane">'. 284 - '%s'. 285 - '<div class="phabricator-profile-info-pane-more-link">%s</div>'. 290 + $task_views. 291 + '<div class="phabricator-profile-info-pane-more-link">'. 292 + $more_link. 293 + '</div>'. 286 294 '</div> 287 - </div>', 288 - pht('Open Tasks (%s)', $open), 289 - $task_views, 290 - $more_link); 295 + </div>'; 291 296 292 297 return $content; 293 298 }

+5 -3

src/applications/project/controller/PhabricatorProjectUpdateController.php

··· 62 62 $dialog = new AphrontDialogView(); 63 63 $dialog->setUser($user); 64 64 $dialog->setTitle(pht('Really leave project?')); 65 - $dialog->appendChild(phutil_tag('p', array(), pht( 66 - 'Your tremendous contributions to this project will be sorely '. 67 - 'missed. Are you sure you want to leave?'))); 65 + $dialog->appendChild( 66 + '<p>'. 67 + pht('Your tremendous contributions to this project will be sorely '. 68 + 'missed. Are you sure you want to leave?'). 69 + '</p>'); 68 70 $dialog->addCancelButton($project_uri); 69 71 $dialog->addSubmitButton(pht('Leave Project')); 70 72 break;

+1 -1

src/applications/remarkup/conduit/ConduitAPI_remarkup_process_Method.php

··· 45 45 46 46 $text = $engine->markupText($content); 47 47 if ($text) { 48 - $content = hsprintf('%s', $text)->getHTMLContent(); 48 + $content = phutil_safe_html($text)->getHTMLContent(); 49 49 } else { 50 50 $content = ''; 51 51 }

+5 -5

src/applications/repository/controller/PhabricatorRepositoryListController.php

··· 27 27 ), 28 28 'View in Diffusion'); 29 29 } else { 30 - $diffusion_link = phutil_tag('em', array(), 'Not Tracked'); 30 + $diffusion_link = '<em>Not Tracked</em>'; 31 31 } 32 32 33 33 $rows[] = array( 34 - $repo->getCallsign(), 35 - $repo->getName(), 34 + phutil_escape_html($repo->getCallsign()), 35 + phutil_escape_html($repo->getName()), 36 36 PhabricatorRepositoryType::getNameForRepositoryType( 37 37 $repo->getVersionControlSystem()), 38 38 $diffusion_link, ··· 98 98 foreach ($projects as $project) { 99 99 $repo = idx($repos, $project->getRepositoryID()); 100 100 if ($repo) { 101 - $repo_name = $repo->getName(); 101 + $repo_name = phutil_escape_html($repo->getName()); 102 102 } else { 103 103 $repo_name = '-'; 104 104 } 105 105 106 106 $rows[] = array( 107 - $project->getName(), 107 + phutil_escape_html($project->getName()), 108 108 $repo_name, 109 109 phutil_tag( 110 110 'a',

+8 -8

src/applications/search/controller/PhabricatorSearchController.php

··· 242 242 ->setObject(idx($objects, $phid)); 243 243 $results[] = $view->render(); 244 244 } 245 - $results = hsprintf( 245 + $results = 246 246 '<div class="phabricator-search-result-list">'. 247 - '%s'. 248 - '<div class="search-results-pager">%s</div>'. 249 - '</div>', 250 - phutil_implode_html("\n", $results), 251 - $pager->render()); 247 + implode("\n", $results). 248 + '<div class="search-results-pager">'. 249 + $pager->render(). 250 + '</div>'. 251 + '</div>'; 252 252 } else { 253 - $results = hsprintf( 253 + $results = 254 254 '<div class="phabricator-search-result-list">'. 255 255 '<p class="phabricator-search-no-results">No search results.</p>'. 256 - '</div>'); 256 + '</div>'; 257 257 } 258 258 } else { 259 259 $results = null;

+11 -15

src/applications/search/view/PhabricatorSearchResultView.php

··· 70 70 break; 71 71 } 72 72 73 - return hsprintf( 73 + return 74 74 '<div class="phabricator-search-result">'. 75 - '%s'. 75 + $img. 76 76 '<div class="result-desc">'. 77 - '%s'. 78 - '<div class="result-type">%s · %s</div>'. 77 + phutil_tag( 78 + 'a', 79 + array( 80 + 'class' => 'result-name', 81 + 'href' => $handle->getURI(), 82 + ), 83 + $this->emboldenQuery($object_name)). 84 + '<div class="result-type">'.$type_name.' · '.$link.'</div>'. 79 85 '</div>'. 80 86 '<div style="clear: both;"></div>'. 81 - '</div>', 82 - $img, 83 - phutil_tag( 84 - 'a', 85 - array( 86 - 'class' => 'result-name', 87 - 'href' => $handle->getURI(), 88 - ), 89 - $this->emboldenQuery($object_name)), 90 - $type_name, 91 - $link); 87 + '</div>'; 92 88 } 93 89 94 90 private function emboldenQuery($str) {

+3 -3

src/applications/settings/panel/PhabricatorSettingsPanelConduit.php

··· 26 26 $dialog->setSubmitURI($this->getPanelURI()); 27 27 $dialog->addSubmitButton('Regenerate'); 28 28 $dialog->addCancelbutton($this->getPanelURI()); 29 - $dialog->appendChild(phutil_tag('p', array(), pht( 30 - 'Really destroy the old certificate? Any established '. 31 - 'sessions will be terminated.'))); 29 + $dialog->appendChild( 30 + '<p>Really destroy the old certificate? Any established '. 31 + 'sessions will be terminated.'); 32 32 33 33 return id(new AphrontDialogResponse()) 34 34 ->setDialog($dialog);

+7 -7

src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php

··· 103 103 } 104 104 105 105 $rows[] = array( 106 - $email->getAddress(), 106 + phutil_escape_html($email->getAddress()), 107 107 $action, 108 108 $remove, 109 109 ); ··· 191 191 ->setUser($user) 192 192 ->addHiddenInput('new', 'verify') 193 193 ->setTitle('Verification Email Sent') 194 - ->appendChild(phutil_tag('p', array(), pht( 195 - 'A verification email has been sent. Click the link in the '. 196 - 'email to verify your address.'))) 194 + ->appendChild( 195 + '<p>A verification email has been sent. Click the link in the '. 196 + 'email to verify your address.</p>') 197 197 ->setSubmitURI($uri) 198 198 ->addSubmitButton('Done'); 199 199 ··· 264 264 ->setUser($user) 265 265 ->addHiddenInput('delete', $email_id) 266 266 ->setTitle("Really delete address '{$address}'?") 267 - ->appendChild(phutil_tag('p', array(), pht( 268 - 'Are you sure you want to delete this address? You will no '. 269 - 'longer be able to use it to login.'))) 267 + ->appendChild( 268 + '<p>Are you sure you want to delete this address? You will no '. 269 + 'longer be able to use it to login.</p>') 270 270 ->addSubmitButton('Delete') 271 271 ->addCancelButton($uri); 272 272

+1 -1

src/applications/settings/panel/PhabricatorSettingsPanelLDAP.php

··· 75 75 76 76 foreach ($forms as $name => $form) { 77 77 if ($name) { 78 - $panel->appendChild(hsprintf('<br /><h1>%s</h1><br />', $name)); 78 + $panel->appendChild('<br /><h1>'.$name.'</h1><br />'); 79 79 } 80 80 $panel->appendChild($form); 81 81 }

+1 -1

src/applications/settings/panel/PhabricatorSettingsPanelOAuth.php

··· 215 215 216 216 foreach ($forms as $name => $form) { 217 217 if ($name) { 218 - $panel->appendChild(hsprintf('<br /><h1>%s</h1><br />', $name)); 218 + $panel->appendChild('<br /><h1>'.$name.'</h1><br />'); 219 219 } 220 220 $panel->appendChild($form); 221 221 }

+7 -7

src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php

··· 182 182 'href' => $this->getPanelURI('?edit='.$key->getID()), 183 183 ), 184 184 $key->getName()), 185 - $key->getKeyComment(), 186 - $key->getKeyType(), 185 + phutil_escape_html($key->getKeyComment()), 186 + phutil_escape_html($key->getKeyType()), 187 187 phabricator_date($key->getDateCreated(), $user), 188 188 phabricator_time($key->getDateCreated(), $user), 189 189 javelin_tag( ··· 240 240 241 241 $user = $request->getUser(); 242 242 243 - $name = phutil_tag('strong', array(), $key->getName()); 243 + $name = phutil_escape_html($key->getName()); 244 244 245 245 if ($request->isDialogFormPost()) { 246 246 $key->delete(); ··· 252 252 ->setUser($user) 253 253 ->addHiddenInput('delete', $key->getID()) 254 254 ->setTitle('Really delete SSH Public Key?') 255 - ->appendChild(phutil_tag('p', array(), pht( 256 - 'The key "%s" will be permanently deleted, and you will not longer be '. 257 - 'able to use the corresponding private key to authenticate.', 258 - $name))) 255 + ->appendChild( 256 + '<p>The key "<strong>'.$name.'</strong>" will be permanently deleted, '. 257 + 'and you will not longer be able to use the corresponding private key '. 258 + 'to authenticate.</p>') 259 259 ->addSubmitButton('Delete Public Key') 260 260 ->addCancelButton($this->getPanelURI()); 261 261

+4 -3

src/applications/slowvote/controller/PhabricatorSlowvotePollController.php

··· 177 177 178 178 179 179 $panel = new AphrontPanelView(); 180 - $panel->setHeader($poll->getQuestion()); 180 + $panel->setHeader(phutil_escape_html($poll->getQuestion())); 181 181 $panel->setWidth(AphrontPanelView::WIDTH_WIDE); 182 182 183 183 $panel->appendChild($form); 184 - $panel->appendChild(hsprintf('<br /><br />')); 184 + $panel->appendChild('<br /><br />'); 185 185 $panel->appendChild($result_markup); 186 186 187 187 return $this->buildStandardPageResponse( ··· 203 203 foreach ($comments as $comment) { 204 204 $handle = $handles[$comment->getAuthorPHID()]; 205 205 206 - $markup = $engine->markupText($comment->getCommentText()); 206 + $markup = phutil_safe_html( 207 + $engine->markupText($comment->getCommentText())); 207 208 208 209 require_celerity_resource('phabricator-remarkup-css'); 209 210

+3 -3

src/applications/subscriptions/events/PhabricatorSubscriptionsUIEventListener.php

··· 36 36 ->setDisabled(true) 37 37 ->setRenderAsForm(true) 38 38 ->setHref('/subscriptions/add/'.$object->getPHID().'/') 39 - ->setName('Automatically Subscribed') 39 + ->setName(phutil_escape_html('Automatically Subscribed')) 40 40 ->setIcon('subscribe-auto'); 41 41 } else { 42 42 $subscribed = false; ··· 59 59 ->setWorkflow(true) 60 60 ->setRenderAsForm(true) 61 61 ->setHref('/subscriptions/delete/'.$object->getPHID().'/') 62 - ->setName('Unsubscribe') 62 + ->setName(phutil_escape_html('Unsubscribe')) 63 63 ->setIcon('subscribe-delete'); 64 64 } else { 65 65 $sub_action = id(new PhabricatorActionView()) ··· 67 67 ->setWorkflow(true) 68 68 ->setRenderAsForm(true) 69 69 ->setHref('/subscriptions/add/'.$object->getPHID().'/') 70 - ->setName('Subscribe') 70 + ->setName(phutil_escape_html('Subscribe')) 71 71 ->setIcon('subscribe-add'); 72 72 } 73 73

+1 -2

src/applications/transactions/response/PhabricatorApplicationTransactionNoEffectResponse.php

··· 57 57 ->setTitle($title); 58 58 59 59 foreach ($xactions as $xaction) { 60 - $dialog->appendChild( 61 - phutil_tag('p', array(), $xaction->getNoEffectDescription())); 60 + $dialog->appendChild('<p>'.$xaction->getNoEffectDescription().'</p>'); 62 61 } 63 62 $dialog->appendChild($tail); 64 63

+6 -6

src/applications/transactions/storage/PhabricatorApplicationTransaction.php

··· 134 134 if ($this->renderingTarget == self::TARGET_HTML) { 135 135 return $this->getHandle($phid)->renderLink(); 136 136 } else { 137 - return hsprintf('%s', $this->getHandle($phid)->getName()); 137 + return $this->getHandle($phid)->getName(); 138 138 } 139 139 } 140 140 ··· 143 143 foreach ($phids as $phid) { 144 144 $links[] = $this->renderHandleLink($phid); 145 145 } 146 - return phutil_implode_html(', ', $links); 146 + return phutil_safe_html(implode(', ', $links)); 147 147 } 148 148 149 149 public function getIcon() { ··· 218 218 '%s changed the visibility of this %s from "%s" to "%s".', 219 219 $this->renderHandleLink($author_phid), 220 220 $this->getApplicationObjectTypeName(), 221 - $old, 222 - $new); 221 + phutil_escape_html($old), 222 + phutil_escape_html($new)); 223 223 case PhabricatorTransactions::TYPE_EDIT_POLICY: 224 224 // TODO: Render human-readable. 225 225 return pht( 226 226 '%s changed the edit policy of this %s from "%s" to "%s".', 227 227 $this->renderHandleLink($author_phid), 228 228 $this->getApplicationObjectTypeName(), 229 - $old, 230 - $new); 229 + phutil_escape_html($old), 230 + phutil_escape_html($new)); 231 231 case PhabricatorTransactions::TYPE_SUBSCRIBERS: 232 232 $add = array_diff($new, $old); 233 233 $rem = array_diff($old, $new);

+1 -1

src/applications/transactions/view/PhabricatorApplicationTransactionCommentView.php

··· 128 128 'id' => $this->getPreviewPanelID(), 129 129 'style' => 'display: none', 130 130 ), 131 - self::renderSingleView( 131 + self::renderHTMLView( 132 132 array( 133 133 $header, 134 134 $preview,

+2 -2

src/applications/transactions/view/PhabricatorApplicationTransactionView.php

··· 99 99 $event->appendChild( 100 100 $engine->getOutput($xaction->getComment(), $field)); 101 101 } else if ($has_deleted_comment) { 102 - $event->appendChild(phutil_tag('em', array(), pht( 103 - 'This comment has been deleted.'))); 102 + $event->appendChild( 103 + '<em>'.pht('This comment has been deleted.').'</em>'); 104 104 } 105 105 106 106 $events[] = $event;

+3

src/applications/typeahead/controller/PhabricatorTypeaheadCommonDatasourceController.php

··· 297 297 $rows = array(); 298 298 foreach ($results as $result) { 299 299 $wire = $result->getWireFormat(); 300 + foreach ($wire as $k => $v) { 301 + $wire[$k] = phutil_escape_html($v); 302 + } 300 303 $rows[] = $wire; 301 304 } 302 305

+1 -1

src/applications/uiexample/examples/PhabricatorActionListExample.php

··· 104 104 105 105 return array( 106 106 $view, 107 - hsprintf('<div style="clear: both;"></div>'), 107 + '<div style="clear: both;"></div>', 108 108 $notices, 109 109 ); 110 110 }

+2 -2

src/applications/uiexample/examples/PhabricatorButtonsExample.php

··· 35 35 ), 36 36 ucwords($size.' '.$color.' '.$tag)); 37 37 38 - $view[] = hsprintf('<br /><br />'); 38 + $view[] = '<br /><br />'; 39 39 } 40 40 } 41 41 } 42 42 43 - return phutil_tag('div', array('style' => 'margin: 1em 2em;'), $view); 43 + return '<div style="margin: 1em 2em;">'.implode('', $view).'</div>'; 44 44 } 45 45 }

+13 -12

src/applications/uiexample/examples/PhabricatorTagExample.php

··· 19 19 ->setName('@alincoln') 20 20 ->setHref('#'); 21 21 $tags[] = ' how is stuff?'; 22 - $tags[] = hsprintf('<br /><br />'); 22 + $tags[] = '<br /><br />'; 23 23 24 24 25 25 $tags[] = 'Did you hear that '; ··· 41 41 ->setDotColor(PhabricatorTagView::COLOR_GREY) 42 42 ->setHref('#'); 43 43 $tags[] = ' is gone?'; 44 - $tags[] = hsprintf('<br /><br />'); 44 + $tags[] = '<br /><br />'; 45 45 46 46 $tags[] = 'Take a look at '; 47 47 $tags[] = id(new PhabricatorTagView()) ··· 49 49 ->setName('D123') 50 50 ->setHref('#'); 51 51 $tags[] = ' when you get a chance.'; 52 - $tags[] = hsprintf('<br /><br />'); 52 + $tags[] = '<br /><br />'; 53 53 54 54 $tags[] = 'Hmm? '; 55 55 $tags[] = id(new PhabricatorTagView()) ··· 63 63 ->setBackgroundColor(PhabricatorTagView::COLOR_BLACK) 64 64 ->setName('Abandoned'); 65 65 $tags[] = '.'; 66 - $tags[] = hsprintf('<br /><br />'); 66 + $tags[] = '<br /><br />'; 67 67 68 68 $tags[] = 'I hope someone is going to '; 69 69 $tags[] = id(new PhabricatorTagView()) ··· 77 77 ->setBackgroundColor(PhabricatorTagView::COLOR_REDORANGE) 78 78 ->setName('High Priority'); 79 79 $tags[] = '!'; 80 - $tags[] = hsprintf('<br /><br />'); 80 + $tags[] = '<br /><br />'; 81 81 82 82 83 83 $tags[] = id(new PhabricatorHeaderView()) ··· 89 89 ->setType(PhabricatorTagView::TYPE_STATE) 90 90 ->setBackgroundColor($color) 91 91 ->setName(ucwords($color)); 92 - $tags[] = hsprintf('<br /><br />'); 92 + $tags[] = '<br /><br />'; 93 93 } 94 94 95 95 $tags[] = id(new PhabricatorHeaderView()) ··· 101 101 ->setDotColor(PhabricatorTagView::COLOR_RED) 102 102 ->setBarColor(PhabricatorTagView::COLOR_RED) 103 103 ->setName('Christmas'); 104 - $tags[] = hsprintf('<br /><br />'); 104 + $tags[] = '<br /><br />'; 105 105 $tags[] = id(new PhabricatorTagView()) 106 106 ->setType(PhabricatorTagView::TYPE_OBJECT) 107 107 ->setBackgroundColor(PhabricatorTagView::COLOR_ORANGE) 108 108 ->setDotColor(PhabricatorTagView::COLOR_BLACK) 109 109 ->setBarColor(PhabricatorTagView::COLOR_BLACK) 110 110 ->setName('Halloween'); 111 - $tags[] = hsprintf('<br /><br />'); 111 + $tags[] = '<br /><br />'; 112 112 $tags[] = id(new PhabricatorTagView()) 113 113 ->setType(PhabricatorTagView::TYPE_STATE) 114 114 ->setBackgroundColor(PhabricatorTagView::COLOR_MAGENTA) ··· 116 116 ->setBarColor(PhabricatorTagView::COLOR_BLUE) 117 117 ->setName('Easter'); 118 118 119 - return phutil_tag( 120 - 'div', 121 - array('style' => 'padding: 1em 2em;'), 122 - $tags); 119 + return array( 120 + '<div style="padding: 1em 2em;">', 121 + $tags, 122 + '</div>', 123 + ); 123 124 } 124 125 }

+1 -1

src/applications/uiexample/examples/PhabricatorUINotificationExample.php

··· 23 23 ), 24 24 'Show Notification'); 25 25 26 - $content = hsprintf('<div style="padding: 1em 3em;">%s</div>', $content); 26 + $content = '<div style="padding: 1em 3em;">'.$content.'</content>'; 27 27 28 28 return $content; 29 29 }

+6 -6

src/applications/uiexample/examples/PhabricatorUIPagerExample.php

··· 35 35 $panel = new AphrontPanelView(); 36 36 $panel->appendChild($table); 37 37 38 - $panel->appendChild(hsprintf( 38 + $panel->appendChild( 39 39 '<p class="phabricator-ui-example-note">'. 40 40 'Use <tt>AphrontPagerView</tt> to render a pager element.'. 41 - '</p>')); 41 + '</p>'); 42 42 43 43 $pager = new AphrontPagerView(); 44 44 $pager->setPageSize($page_size); ··· 47 47 $pager->setURI($request->getRequestURI(), 'offset'); 48 48 $panel->appendChild($pager); 49 49 50 - $panel->appendChild(hsprintf( 50 + $panel->appendChild( 51 51 '<p class="phabricator-ui-example-note">'. 52 52 'You can show more or fewer pages of surrounding context.'. 53 - '</p>')); 53 + '</p>'); 54 54 55 55 $many_pages_pager = new AphrontPagerView(); 56 56 $many_pages_pager->setPageSize($page_size); ··· 60 60 $many_pages_pager->setSurroundingPages(7); 61 61 $panel->appendChild($many_pages_pager); 62 62 63 - $panel->appendChild(hsprintf( 63 + $panel->appendChild( 64 64 '<p class="phabricator-ui-example-note">'. 65 65 'When it is prohibitively expensive or complex to attain a complete '. 66 66 'count of the items, you can select one extra item and set '. 67 67 '<tt>hasMorePages(true)</tt> if it exists, creating an inexact pager.'. 68 - '</p>')); 68 + '</p>'); 69 69 70 70 $inexact_pager = new AphrontPagerView(); 71 71 $inexact_pager->setPageSize($page_size);

+14 -26

src/docs/developer/rendering_html.diviner

··· 108 108 109 109 If you need to build a list of items with some element in between each of them 110 110 (like a middot, comma, or vertical bar) you can use 111 - @{function:phutil_implode_html}: 111 + @{function:array_interleave}: 112 112 113 113 // Render links with commas between them. 114 114 phutil_tag( 115 115 'div', 116 116 array(), 117 - phutil_implode_html(', ', $list_of_links)); 117 + array_interleave(', ', $list_of_links)); 118 118 119 119 = AphrontView Classes = 120 120 ··· 124 124 125 125 return phutil_tag('div', ...); 126 126 127 + @{class:AphrontView} subclasses can use `renderHTMLChildren()` and 128 + `renderHTMLView()` to build @{class@libphutil:PhutilSafeHTML} objects from 129 + children or arbitrary lists of components. 130 + 131 + @{class:AphrontView} subclasses should avoid `renderChildren()` and 132 + `renderSingleView()` and transition callers to the `HTML` varieties. These older 133 + methods do not return @{class@libphutil:PhutilSafeHTML} objects. 134 + 127 135 = Internationalization: pht() = 128 136 129 137 The @{function:pht} function has some special rules. If any input to ··· 148 156 you are wrong and the string is not actually safe, you have introduced an XSS 149 157 vulnerability. Consequently, you should avoid calling this if possible. 150 158 151 - You can use @{function@libphutil:phutil_escape_html_newlines} to escape HTML 152 - while converting newlines to `<br />`. You should not need to explicitly use 153 - @{function@libphutil:phutil_escape_html} anywhere. 159 + You can use @{function@libphutil:phutil_escape_html} to explicitly escape an 160 + HTML string. You should not normally need to use it. 154 161 155 - If you need to apply a string function (such as `trim()`) to safe HTML, use 156 - @{method@libphutil:PhutilSafeHTML::applyFunction}. 162 + You can use @{function@libphutil:phutil_escape_html_newlines} to escape HTML 163 + while converting newlines to `<br />`. 157 164 158 165 If you need to extract the content of a @{class@libphutil:PhutilSafeHTML} 159 166 object, you should call `getHTMLContent()`, not cast it to a string. Eventually, 160 167 we would like to remove the string cast entirely. 161 - 162 - Functions @{function@libphutil:phutil_tag} and @{function@libphutil:hsprintf} 163 - are not safe if you pass the user input for the tag or attribute name. All the 164 - following examples are dangerous: 165 - 166 - counterexample 167 - phutil_tag($evil); 168 - 169 - phutil_tag('span', array($evil => $evil2)); 170 - 171 - // Use PhutilURI to check if $evil is valid HTTP link. 172 - phutil_tag('a', array('href' => $evil)); 173 - 174 - phutil_tag('span', array('onmouseover' => $evil)); 175 - 176 - hsprintf('<%s>%s</%s>', $evil, $evil2, $evil); 177 - 178 - // We have a lint rule disallowing this. 179 - hsprintf($evil); 180 168 181 169 = Deprecated Functions = 182 170

+3 -5

src/infrastructure/celerity/CelerityStaticResourceResponse.php

··· 98 98 $this->hasRendered[$resource['uri']] = true; 99 99 100 100 $output[] = $this->renderResource($resource); 101 - $output[] = "\n"; 102 101 } 103 - return phutil_implode_html('', $output); 102 + return implode("\n", $output)."\n"; 104 103 } 105 104 106 105 private function renderResource(array $resource) { ··· 181 180 182 181 if ($data) { 183 182 $data = implode("\n", $data); 184 - return hsprintf( 185 - '<script type="text/javascript">//<![CDATA['."\n".'%s//]]></script>', 186 - phutil_safe_html($data)); 183 + return '<script type="text/javascript">//<![CDATA['."\n". 184 + $data.'//]]></script>'; 187 185 } else { 188 186 return ''; 189 187 }

+1 -1

src/infrastructure/diff/PhabricatorInlineCommentController.php

··· 71 71 $dialog->setTitle('Really delete this comment?'); 72 72 $dialog->addHiddenInput('id', $this->getCommentID()); 73 73 $dialog->addHiddenInput('op', 'delete'); 74 - $dialog->appendChild(hsprintf('<p>Delete this inline comment?</p>')); 74 + $dialog->appendChild('<p>Delete this inline comment?</p>'); 75 75 76 76 $dialog->addCancelButton('#'); 77 77 $dialog->addSubmitButton('Delete');

+1 -1

src/infrastructure/diff/PhabricatorInlineCommentPreviewController.php

··· 34 34 $view->setPreview(true); 35 35 $views[] = $view->render(); 36 36 } 37 - $views = phutil_implode_html("\n", $views); 37 + $views = implode("\n", $views); 38 38 39 39 return id(new AphrontAjaxResponse()) 40 40 ->setContent($views);

+14 -21

src/infrastructure/diff/view/PhabricatorInlineSummaryView.php

··· 15 15 16 16 public function render() { 17 17 require_celerity_resource('inline-comment-summary-css'); 18 - return hsprintf('%s%s', $this->renderHeader(), $this->renderTable()); 18 + return $this->renderHeader().$this->renderTable(); 19 19 } 20 20 21 21 private function renderHeader() { ··· 79 79 80 80 $where = idx($item, 'where'); 81 81 82 - $colspan = ($has_where ? null : 2); 83 - $rows[] = hsprintf( 82 + $colspan = ($has_where ? '' : ' colspan="2"'); 83 + $rows[] = 84 84 '<tr>'. 85 - '<td class="inline-line-number">%s</td>'. 86 - '%s'. 87 - '%s'. 88 - '</tr>', 89 - $lines, 90 - ($has_where 91 - ? hsprintf('<td class="inline-which-diff">%s</td>', $where) 92 - : null), 93 - phutil_tag( 94 - 'td', 95 - array( 96 - 'class' => 'inline-summary-content', 97 - 'colspan' => $colspan, 98 - ), 99 - hsprintf( 100 - '<div class="phabricator-remarkup">%s</div>', 101 - $item['content']))); 85 + '<td class="inline-line-number">'.$lines.'</td>'. 86 + ($has_where 87 + ? hsprintf('<td class="inline-which-diff">%s</td>', $where) 88 + : null). 89 + '<td class="inline-summary-content"'.$colspan.'>'. 90 + '<div class="phabricator-remarkup">'. 91 + $item['content']. 92 + '</div>'. 93 + '</td>'. 94 + '</tr>'; 102 95 } 103 96 } 104 97 ··· 107 100 array( 108 101 'class' => 'phabricator-inline-summary-table', 109 102 ), 110 - phutil_implode_html("\n", $rows)); 103 + new PhutilSafeHTML(implode("\n", $rows))); 111 104 } 112 105 113 106 }

-18

src/infrastructure/lint/PhabricatorLintEngine.php

··· 5 5 public function buildLinters() { 6 6 $linters = parent::buildLinters(); 7 7 8 - foreach ($linters as $linter) { 9 - if ($linter instanceof ArcanistPhutilXHPASTLinter) { 10 - $linter->setDeprecatedFunctions(array( 11 - 'phutil_escape_html' => 12 - 'The phutil_escape_html() function is deprecated. Raw strings '. 13 - 'passed to phutil_tag() or hsprintf() are escaped automatically.', 14 - 15 - 'javelin_render_tag' => 16 - 'The javelin_render_tag() function is deprecated and unsafe. '. 17 - 'Use javelin_tag() instead.', 18 - 19 - 'phabricator_render_form' => 20 - 'The phabricator_render_form() function is deprecated and unsafe. '. 21 - 'Use phabricator_form() instead.', 22 - )); 23 - } 24 - } 25 - 26 8 $paths = $this->getPaths(); 27 9 28 10 foreach ($paths as $key => $path) {

+4 -2

src/infrastructure/markup/PhabricatorMarkupEngine.php

··· 41 41 42 42 private $objects = array(); 43 43 private $viewer; 44 - private $version = 3; 44 + private $version = 2; 45 45 46 46 47 47 /* -( Markup Pipeline )---------------------------------------------------- */ ··· 160 160 "Call process() before getOutput()."); 161 161 } 162 162 163 - return $this->objects[$key]['output']; 163 + return new PhutilSafeHTML($this->objects[$key]['output']); 164 164 } 165 165 166 166 ··· 424 424 425 425 $rules[] = new PhabricatorRemarkupRuleMention(); 426 426 427 + $rules[] = new PhutilRemarkupRuleEscapeHTML(); 427 428 $rules[] = new PhutilRemarkupRuleBold(); 428 429 $rules[] = new PhutilRemarkupRuleItalic(); 429 430 $rules[] = new PhutilRemarkupRuleDel(); ··· 449 450 foreach ($blocks as $block) { 450 451 if ($block instanceof PhutilRemarkupEngineRemarkupLiteralBlockRule) { 451 452 $literal_rules = array(); 453 + $literal_rules[] = new PhutilRemarkupRuleEscapeHTML(); 452 454 $literal_rules[] = new PhutilRemarkupRuleLinebreaks(); 453 455 $block->setMarkupRules($literal_rules); 454 456 } else if (

+10 -7

src/infrastructure/markup/rule/PhabricatorRemarkupRuleCountdown.php

··· 8 8 const KEY_RULE_COUNTDOWN = 'rule.countdown'; 9 9 10 10 public function apply($text) { 11 - return $this->replaceHTML( 11 + return preg_replace_callback( 12 12 "@\B{C(\d+)}\B@", 13 13 array($this, 'markupCountdown'), 14 14 $text); 15 15 } 16 16 17 - protected function markupCountdown($matches) { 17 + private function markupCountdown($matches) { 18 18 $countdown = id(new PhabricatorTimer())->load($matches[1]); 19 19 if (!$countdown) { 20 20 return $matches[0]; ··· 46 46 47 47 foreach ($metadata as $id => $info) { 48 48 list($time, $token) = $info; 49 - $prefix = 'phabricator-timer-'; 50 49 $count = phutil_tag( 51 50 'span', 52 51 array( 53 52 'id' => $id, 54 53 ), 55 54 array( 56 - javelin_tag('span', array('sigil' => $prefix.'days'), ''), 'd', 57 - javelin_tag('span', array('sigil' => $prefix.'hours'), ''), 'h', 58 - javelin_tag('span', array('sigil' => $prefix.'minutes'), ''), 'm', 59 - javelin_tag('span', array('sigil' => $prefix.'seconds'), ''), 's', 55 + javelin_tag('span', 56 + array('sigil' => 'phabricator-timer-days'), '').'d', 57 + javelin_tag('span', 58 + array('sigil' => 'phabricator-timer-hours'), '').'h', 59 + javelin_tag('span', 60 + array('sigil' => 'phabricator-timer-minutes'), '').'m', 61 + javelin_tag('span', 62 + array('sigil' => 'phabricator-timer-seconds'), '').'s', 60 63 )); 61 64 Javelin::initBehavior('countdown-timer', array( 62 65 'timestamp' => $time,

+1 -1

src/infrastructure/markup/rule/PhabricatorRemarkupRuleEmbedFile.php

··· 10 10 const KEY_EMBED_FILE_PHIDS = 'phabricator.embedded-file-phids'; 11 11 12 12 public function apply($text) { 13 - return $this->replaceHTML( 13 + return preg_replace_callback( 14 14 "@{F(\d+)([^}]+?)?}@", 15 15 array($this, 'markupEmbedFile'), 16 16 $text);

+3 -5

src/infrastructure/markup/rule/PhabricatorRemarkupRuleImageMacro.php

··· 9 9 private $images; 10 10 11 11 public function apply($text) { 12 - return $this->replaceHTML( 12 + return preg_replace_callback( 13 13 '@^([a-zA-Z0-9:_\-]+)$@m', 14 14 array($this, 'markupImageMacro'), 15 15 $text); ··· 25 25 } 26 26 } 27 27 28 - $name = (string)$matches[1]; 29 - 30 - if (array_key_exists($name, $this->images)) { 31 - $phid = $this->images[$name]; 28 + if (array_key_exists($matches[1], $this->images)) { 29 + $phid = $this->images[$matches[1]]; 32 30 33 31 $file = id(new PhabricatorFile())->loadOneWhere('phid = %s', $phid); 34 32 $style = null;

+1 -1

src/infrastructure/markup/rule/PhabricatorRemarkupRuleMeme.php

··· 9 9 private $images; 10 10 11 11 public function apply($text) { 12 - return $this->replaceHTML( 12 + return preg_replace_callback( 13 13 '@{meme,([^}]+)}$@m', 14 14 array($this, 'markupMeme'), 15 15 $text);

+2 -2

src/infrastructure/markup/rule/PhabricatorRemarkupRuleMention.php

··· 21 21 const REGEX = '/(?<!\w)@([a-zA-Z0-9._-]*[a-zA-Z0-9_-])/'; 22 22 23 23 public function apply($text) { 24 - return $this->replaceHTML( 24 + return preg_replace_callback( 25 25 self::REGEX, 26 26 array($this, 'markupMention'), 27 27 $text); 28 28 } 29 29 30 - protected function markupMention($matches) { 30 + private function markupMention($matches) { 31 31 $engine = $this->getEngine(); 32 32 $token = $engine->storeText(''); 33 33

+2 -2

src/infrastructure/markup/rule/PhabricatorRemarkupRuleObjectHandle.php

··· 13 13 14 14 public function apply($text) { 15 15 $prefix = $this->getObjectNamePrefix(); 16 - return $this->replaceHTML( 16 + return preg_replace_callback( 17 17 "@\B{{$prefix}(\d+)}\B@", 18 18 array($this, 'markupObjectHandle'), 19 19 $text); 20 20 } 21 21 22 - protected function markupObjectHandle($matches) { 22 + private function markupObjectHandle($matches) { 23 23 // TODO: These are single gets but should be okay for now, they're behind 24 24 // the cache. 25 25 $phid = $this->loadObjectPHID($matches[1]);

+1 -1

src/infrastructure/markup/rule/PhabricatorRemarkupRuleObjectName.php

··· 15 15 public function apply($text) { 16 16 $prefix = $this->getObjectNamePrefix(); 17 17 $id = $this->getObjectIDPattern(); 18 - return $this->replaceHTML( 18 + return preg_replace_callback( 19 19 "@\b({$prefix})({$id})(?:#([-\w\d]+))?\b@", 20 20 array($this, 'markupObjectNameLink'), 21 21 $text);

+2 -2

src/infrastructure/markup/rule/PhabricatorRemarkupRulePhriction.php

··· 7 7 extends PhutilRemarkupRule { 8 8 9 9 public function apply($text) { 10 - return $this->replaceHTML( 10 + return preg_replace_callback( 11 11 '@\B\\[\\[([^|\\]]+)(?:\\|([^\\]]+))?\\]\\]\B@U', 12 12 array($this, 'markupDocumentLink'), 13 13 $text); ··· 28 28 $href = (string) id(new PhutilURI($slug))->setFragment($fragment); 29 29 30 30 if ($this->getEngine()->getState('toc')) { 31 - $text = $name; 31 + $text = phutil_escape_html($name); 32 32 } else { 33 33 $text = phutil_tag( 34 34 'a',

+20 -16

src/infrastructure/markup/rule/PhabricatorRemarkupRuleYoutube.php

··· 10 10 $this->uri = new PhutilURI($text); 11 11 12 12 if ($this->uri->getDomain() && 13 - preg_match('/(^|\.)youtube\.com$/', $this->uri->getDomain()) && 14 - idx($this->uri->getQueryParams(), 'v')) { 13 + preg_match('/(^|\.)youtube\.com$/', $this->uri->getDomain())) { 15 14 return $this->markupYoutubeLink(); 16 15 } 17 16 ··· 20 19 21 20 public function markupYoutubeLink() { 22 21 $v = idx($this->uri->getQueryParams(), 'v'); 23 - $youtube_src = 'https://www.youtube.com/embed/'.$v; 24 - $iframe = hsprintf( 25 - '<div class="embedded-youtube-video">%s</div>', 26 - phutil_tag( 27 - 'iframe', 28 - array( 29 - 'width' => '650', 30 - 'height' => '400', 31 - 'style' => 'margin: 1em auto; border: 0px;', 32 - 'src' => $youtube_src, 33 - 'frameborder' => 0, 34 - ), 35 - '')); 36 - return $this->getEngine()->storeText($iframe); 22 + if ($v) { 23 + $youtube_src = 'https://www.youtube.com/embed/'.$v; 24 + $iframe = 25 + '<div class="embedded-youtube-video">'. 26 + phutil_tag( 27 + 'iframe', 28 + array( 29 + 'width' => '650', 30 + 'height' => '400', 31 + 'style' => 'margin: 1em auto; border: 0px;', 32 + 'src' => $youtube_src, 33 + 'frameborder' => 0, 34 + ), 35 + ''). 36 + '</div>'; 37 + return $this->getEngine()->storeText($iframe); 38 + } else { 39 + return $this->uri; 40 + } 37 41 } 38 42 39 43 }

+21 -21

src/view/AphrontDialogView.php

··· 99 99 ), 100 100 $this->cancelText); 101 101 } 102 + $buttons = implode('', $buttons); 102 103 103 104 if (!$this->user) { 104 105 throw new Exception( ··· 130 131 ); 131 132 132 133 $hidden_inputs = array(); 133 - $hidden_inputs[] = phutil_tag( 134 - 'input', 135 - array( 136 - 'type' => 'hidden', 137 - 'name' => '__dialog__', 138 - 'value' => '1', 139 - )); 140 - 141 134 foreach ($this->hidden as $desc) { 142 135 list($key, $value) = $desc; 143 136 $hidden_inputs[] = javelin_tag( ··· 149 142 'sigil' => 'aphront-dialog-application-input' 150 143 )); 151 144 } 145 + $hidden_inputs = implode("\n", $hidden_inputs); 146 + $hidden_inputs = 147 + '<input type="hidden" name="__dialog__" value="1" />'. 148 + $hidden_inputs; 149 + 152 150 153 151 if (!$this->renderAsForm) { 154 - $buttons = array(phabricator_form( 152 + $buttons = phabricator_render_form( 155 153 $this->user, 156 154 $form_attributes, 157 - array_merge($hidden_inputs, $buttons))); 155 + $hidden_inputs.$buttons); 158 156 } 159 157 160 - $buttons[] = phutil_tag('div', array('style' => 'clear: both;'), ''); 161 - $children = $this->renderChildren(); 162 - 163 - $content = hsprintf( 164 - '%s%s%s', 165 - phutil_tag('div', array('class' => 'aphront-dialog-head'), $this->title), 166 - phutil_tag('div', array('class' => 'aphront-dialog-body'), $children), 167 - phutil_tag('div', array('class' => 'aphront-dialog-tail'), $buttons)); 158 + $content = 159 + hsprintf('<div class="aphront-dialog-head">%s</div>', $this->title). 160 + '<div class="aphront-dialog-body">'. 161 + $this->renderChildren(). 162 + '</div>'. 163 + '<div class="aphront-dialog-tail">'. 164 + $buttons. 165 + '<div style="clear: both;"></div>'. 166 + '</div>'; 168 167 169 168 if ($this->renderAsForm) { 170 - return phabricator_form( 169 + return phabricator_render_form( 171 170 $this->user, 172 171 $form_attributes + $attributes, 173 - array($hidden_inputs, $content)); 172 + $hidden_inputs. 173 + $content); 174 174 } else { 175 - return javelin_tag( 175 + return javelin_render_tag( 176 176 'div', 177 177 $attributes, 178 178 $content);

+2 -2

src/view/AphrontJavelinView.php

··· 21 21 22 22 public function render() { 23 23 $id = celerity_generate_unique_node_id(); 24 - $placeholder = phutil_tag('span', array('id' => $id)); 24 + $placeholder = "<span id={$id} />"; 25 25 26 26 require_celerity_resource($this->getCelerityResource()); 27 27 ··· 32 32 'id' => $id, 33 33 'view' => $this->getName(), 34 34 'params' => $this->getParameters(), 35 - 'children' => implode('', $this->renderChildren()), 35 + 'children' => $this->renderChildren(), 36 36 'trigger_id' => $render_context, 37 37 )); 38 38

+1 -1

src/view/AphrontNullView.php

··· 3 3 final class AphrontNullView extends AphrontView { 4 4 5 5 public function render() { 6 - return phutil_implode_html('', $this->renderChildren()); 6 + return $this->renderChildren(); 7 7 } 8 8 9 9 }

+1 -1

src/view/AphrontTagView.php

··· 87 87 } 88 88 89 89 protected function getTagContent() { 90 - return $this->renderChildren(); 90 + return $this->renderHTMLChildren(); 91 91 } 92 92 93 93 protected function willRender() {

+25 -1

src/view/AphrontView.php

··· 33 33 foreach ($this->children as $child) { 34 34 $out[] = $this->renderSingleView($child); 35 35 } 36 + return implode('', $out); 37 + } 38 + 39 + final protected function renderHTMLChildren() { 40 + $out = array(); 41 + foreach ($this->children as $child) { 42 + $out[] = $this->renderHTMLView($child); 43 + } 36 44 return $out; 37 45 } 38 46 ··· 44 52 foreach ($child as $element) { 45 53 $out[] = $this->renderSingleView($element); 46 54 } 47 - return phutil_implode_html('', $out); 55 + return implode('', $out); 48 56 } else { 49 57 return $child; 58 + } 59 + } 60 + 61 + final protected function renderHTMLView($child) { 62 + if ($child instanceof AphrontView) { 63 + return phutil_safe_html($child->render()); 64 + } else if ($child instanceof PhutilSafeHTML) { 65 + return $child; 66 + } else if (is_array($child)) { 67 + $out = array(); 68 + foreach ($child as $element) { 69 + $out[] = $this->renderHTMLView($element); 70 + } 71 + return phutil_safe_html(implode('', $out)); 72 + } else { 73 + return phutil_safe_html(phutil_escape_html($child)); 50 74 } 51 75 } 52 76

+5 -9

src/view/control/AphrontAttachedFileView.php

··· 44 44 ), 45 45 "\xE2\x9C\x96"); // "Heavy Multiplication X" 46 46 47 - return hsprintf( 47 + return 48 48 '<table class="aphront-attached-file-view"> 49 49 <tr> 50 - <td>%s</td> 51 - <th><strong>%s</strong><br />%s</th> 52 - <td class="aphront-attached-file-view-remove">%s</td> 50 + <td>'.$thumb.'</td> 51 + <th><strong>'.$name.'</strong><br />'.$size.'</th> 52 + <td class="aphront-attached-file-view-remove">'.$remove.'</td> 53 53 </tr> 54 - </table>', 55 - $thumb, 56 - $name, 57 - $size, 58 - $remove); 54 + </table>'; 59 55 } 60 56 61 57 }

+4 -4

src/view/control/AphrontCursorPagerView.php

··· 120 120 "Next \xE2\x80\xBA"); 121 121 } 122 122 123 - return phutil_tag( 124 - 'div', 125 - array('class' => 'aphront-pager-view'), 126 - $links); 123 + return 124 + '<div class="aphront-pager-view">'. 125 + implode('', $links). 126 + '</div>'; 127 127 } 128 128 129 129 }

+5 -5

src/view/control/AphrontPagerView.php

··· 115 115 if ($max - $min > $last) { 116 116 $max = $min + $last; 117 117 if ($max == $min) { 118 - return phutil_tag('div', array('class' => 'aphront-pager-view'), ''); 118 + return '<div class="aphront-pager-view"></div>'; 119 119 } 120 120 } 121 121 ··· 196 196 $label); 197 197 } 198 198 199 - return phutil_tag( 200 - 'div', 201 - array('class' => 'aphront-pager-view'), 202 - $rendered_links); 199 + return 200 + '<div class="aphront-pager-view">'. 201 + implode('', $rendered_links). 202 + '</div>'; 203 203 } 204 204 205 205 private function getDisplayIndex($page_index) {

+40 -33

src/view/control/AphrontTableView.php

··· 111 111 public function render() { 112 112 require_celerity_resource('aphront-table-view-css'); 113 113 114 - $table = array(); 114 + $table_class = $this->className; 115 + 116 + if ($this->deviceReadyTable) { 117 + $table_class .= ' aphront-table-view-device-ready'; 118 + } 119 + 120 + if ($table_class !== null) { 121 + $table_class = ' class="aphront-table-view '.$table_class.'"'; 122 + } else { 123 + $table_class = ' class="aphront-table-view"'; 124 + } 125 + $table = array('<table'.$table_class.'>'); 115 126 116 127 $col_classes = array(); 117 128 foreach ($this->columnClasses as $key => $class) { ··· 140 151 while (count($headers) > count($sort_values)) { 141 152 $sort_values[] = null; 142 153 } 143 - 144 - $tr = array(); 154 + $table[] = '<tr>'; 145 155 foreach ($headers as $col_num => $header) { 146 156 if (!$visibility[$col_num]) { 147 157 continue; ··· 192 202 } 193 203 194 204 if ($classes) { 195 - $class = implode(' ', $classes); 205 + $class = ' class="'.implode(' ', $classes).'"'; 196 206 } else { 197 207 $class = null; 198 208 } ··· 211 221 ), 212 222 $short_headers[$col_num]); 213 223 214 - $header = hsprintf('%s %s', $header_nodevice, $header_device); 224 + $header = $header_nodevice.$header_device; 215 225 } 216 226 217 - $tr[] = phutil_tag('th', array('class' => $class), $header); 227 + $table[] = '<th'.$class.'>'.$header.'</th>'; 218 228 } 219 - $table[] = phutil_tag('tr', array(), $tr); 229 + $table[] = '</tr>'; 220 230 } 221 231 222 232 foreach ($col_classes as $key => $value) { ··· 241 251 while (count($row) > count($visibility)) { 242 252 $visibility[] = true; 243 253 } 244 - $tr = array(); 254 + $class = idx($this->rowClasses, $row_num); 255 + if ($this->zebraStripes && ($row_num % 2)) { 256 + if ($class !== null) { 257 + $class = 'alt alt-'.$class; 258 + } else { 259 + $class = 'alt'; 260 + } 261 + } 262 + if ($class !== null) { 263 + $class = ' class="'.$class.'"'; 264 + } 265 + $table[] = '<tr'.$class.'>'; 245 266 // NOTE: Use of a separate column counter is to allow this to work 246 267 // correctly if the row data has string or non-sequential keys. 247 268 $col_num = 0; ··· 254 275 if (!empty($this->cellClasses[$row_num][$col_num])) { 255 276 $class = trim($class.' '.$this->cellClasses[$row_num][$col_num]); 256 277 } 257 - $tr[] = phutil_tag('td', array('class' => $class), $value); 258 - ++$col_num; 259 - } 260 - 261 - $class = idx($this->rowClasses, $row_num); 262 - if ($this->zebraStripes && ($row_num % 2)) { 263 278 if ($class !== null) { 264 - $class = 'alt alt-'.$class; 279 + $table[] = '<td class="'.$class.'">'; 265 280 } else { 266 - $class = 'alt'; 281 + $table[] = '<td>'; 267 282 } 283 + $table[] = $value.'</td>'; 284 + ++$col_num; 268 285 } 269 - 270 - $table[] = phutil_tag('tr', array('class' => $class), $tr); 271 286 ++$row_num; 272 287 } 273 288 } else { 274 289 $colspan = max(count(array_filter($visibility)), 1); 275 - $table[] = hsprintf( 276 - '<tr class="no-data"><td colspan="%s">%s</td></tr>', 277 - $colspan, 278 - coalesce($this->noDataString, 'No data available.')); 279 - } 280 - 281 - $table_class = 'aphront-table-view'; 282 - if ($this->className !== null) { 283 - $table_class .= ' '.$this->className; 284 - } 285 - if ($this->deviceReadyTable) { 286 - $table_class .= ' aphront-table-view-device-ready'; 290 + $table[] = 291 + '<tr class="no-data"><td colspan="'.$colspan.'">'. 292 + coalesce($this->noDataString, 'No data available.'). 293 + '</td></tr>'; 287 294 } 288 - 289 - $html = phutil_tag('table', array('class' => $table_class), $table); 290 - return hsprintf('<div class="aphront-table-wrap">%s</div>', $html); 295 + $table[] = '</table>'; 296 + $html = implode('', $table); 297 + return '<div class="aphront-table-wrap">'.$html.'</div>'; 291 298 } 292 299 293 300 public static function renderSingleDisplayLine($line) {

+30 -31

src/view/control/PhabricatorObjectSelectorDialog.php

··· 101 101 ), 102 102 $label); 103 103 } 104 + $options = implode("\n", $options); 104 105 105 106 $instructions = null; 106 107 if ($this->instructions) { 107 - $instructions = phutil_tag( 108 - 'p', 109 - array('class' => 'phabricator-object-selector-instructions'), 110 - $this->instructions); 108 + $instructions = 109 + '<p class="phabricator-object-selector-instructions">'. 110 + $this->instructions. 111 + '</p>'; 111 112 } 112 113 113 - $search_box = phabricator_form( 114 + $search_box = phabricator_render_form( 114 115 $user, 115 116 array( 116 117 'method' => 'POST', 117 118 'action' => $this->submitURI, 118 119 'id' => $search_id, 119 120 ), 120 - hsprintf( 121 - '<table class="phabricator-object-selector-search"> 122 - <tr> 123 - <td class="phabricator-object-selector-search-filter">%s</td> 124 - <td class="phabricator-object-selector-search-text">%s</td> 125 - </tr> 126 - </table>', 127 - phutil_tag('select', array('id' => $filter_id), $options), 128 - phutil_tag('input', array('id' => $query_id)))); 129 - 130 - $result_box = phutil_tag( 131 - 'div', 132 - array( 133 - 'class' => 'phabricator-object-selector-results', 134 - 'id' => $results_id, 135 - ), 136 - ''); 137 - 138 - $attached_box = hsprintf( 121 + '<table class="phabricator-object-selector-search"> 122 + <tr> 123 + <td class="phabricator-object-selector-search-filter"> 124 + <select id="'.$filter_id.'">'. 125 + $options. 126 + '</select> 127 + </td> 128 + <td class="phabricator-object-selector-search-text"> 129 + <input type="text" id="'.$query_id.'" /> 130 + </td> 131 + </tr> 132 + </table>'); 133 + $result_box = 134 + '<div class="phabricator-object-selector-results" id="'.$results_id.'">'. 135 + '</div>'; 136 + $attached_box = 139 137 '<div class="phabricator-object-selector-current">'. 140 138 '<div class="phabricator-object-selector-currently-attached">'. 141 - '<div class="phabricator-object-selector-header">%s</div>'. 142 - '<div id="%s"></div>'. 143 - '%s'. 139 + hsprintf( 140 + '<div class="phabricator-object-selector-header">%s</div>', 141 + $this->header). 142 + '<div id="'.$current_id.'">'. 143 + '</div>'. 144 + $instructions. 144 145 '</div>'. 145 - '</div>', 146 - $this->header, 147 - $current_id, 148 - $instructions); 146 + '</div>'; 147 + 149 148 150 149 $dialog = new AphrontDialogView(); 151 150 $dialog

+1 -1

src/view/form/AphrontErrorView.php

··· 92 92 $classes[] = 'aphront-error-severity-'.$this->severity; 93 93 $classes = implode(' ', $classes); 94 94 95 - $children = $this->renderChildren(); 95 + $children = $this->renderHTMLChildren(); 96 96 $children[] = $list; 97 97 98 98 return phutil_tag(

+1 -1

src/view/form/AphrontFormInsetView.php

··· 102 102 $content[] = $this->content; 103 103 } 104 104 105 - $content = array_merge($content, $this->renderChildren()); 105 + $content = array_merge($content, $this->renderHTMLChildren()); 106 106 107 107 return phutil_tag('div', $div_attributes, $content); 108 108 }

+1 -1

src/view/form/AphrontFormLayoutView.php

··· 38 38 array( 39 39 'class' => $classes, 40 40 ), 41 - $this->renderChildren()); 41 + $this->renderHTMLChildren()); 42 42 } 43 43 }

+1 -1

src/view/form/AphrontFormView.php

··· 68 68 69 69 $layout 70 70 ->appendChild($this->renderDataInputs()) 71 - ->appendChild($this->renderChildren()); 71 + ->appendChild($this->renderHTMLChildren()); 72 72 73 73 if (!$this->user) { 74 74 throw new Exception('You must pass the user to AphrontFormView.');

+1 -1

src/view/form/control/AphrontFormCropControl.php

··· 29 29 $file = $this->getValue(); 30 30 31 31 if ($file === null) { 32 - return phutil_tag( 32 + return phutil_render_tag( 33 33 'img', 34 34 array( 35 35 'src' => PhabricatorUser::getDefaultProfileImageURI()

+1 -1

src/view/form/control/PhabricatorRemarkupControl.php

··· 154 154 array( 155 155 'sigil' => 'remarkup-assist-control', 156 156 ), 157 - $this->renderSingleView( 157 + $this->renderHTMLView( 158 158 array( 159 159 $buttons, 160 160 parent::renderInput(),

+8 -6

src/view/layout/AphrontContextBarView.php

··· 15 15 16 16 require_celerity_resource('aphront-contextbar-view-css'); 17 17 18 - return hsprintf( 18 + return 19 19 '<div class="aphront-contextbar-view">'. 20 20 '<div class="aphront-contextbar-core">'. 21 - '<div class="aphront-contextbar-buttons">%s</div>'. 22 - '<div class="aphront-contextbar-content">%s</div>'. 21 + '<div class="aphront-contextbar-buttons">'. 22 + $view->render(). 23 + '</div>'. 24 + '<div class="aphront-contextbar-content">'. 25 + $this->renderChildren(). 26 + '</div>'. 23 27 '</div>'. 24 28 '<div style="clear: both;"></div>'. 25 - '</div>', 26 - $view->render(), 27 - $this->renderChildren()); 29 + '</div>'; 28 30 } 29 31 30 32 }

+9 -6

src/view/layout/AphrontCrumbsView.php

··· 17 17 foreach ($this->crumbs as $crumb) { 18 18 $out[] = $this->renderSingleView($crumb); 19 19 } 20 - $out = phutil_implode_html( 21 - hsprintf('<span class="aphront-crumbs-spacer">'."\xC2\xBB".'</span>'), 20 + $out = implode( 21 + '<span class="aphront-crumbs-spacer">'. 22 + "\xC2\xBB". 23 + '</span>', 22 24 $out); 23 25 24 - return hsprintf( 26 + return 25 27 '<div class="aphront-crumbs-view">'. 26 - '<div class="aphront-crumbs-content">%s</div>'. 27 - '</div>', 28 - $out); 28 + '<div class="aphront-crumbs-content">'. 29 + $out. 30 + '</div>'. 31 + '</div>'; 29 32 } 30 33 31 34 }

+5 -4

src/view/layout/AphrontListFilterView.php

··· 4 4 5 5 public function render() { 6 6 require_celerity_resource('aphront-list-filter-view-css'); 7 - return hsprintf( 7 + return 8 8 '<table class="aphront-list-filter-view">'. 9 9 '<tr>'. 10 - '<td class="aphront-list-filter-view-controls">%s</td>'. 10 + '<td class="aphront-list-filter-view-controls">'. 11 + $this->renderChildren(). 12 + '</td>'. 11 13 '</tr>'. 12 - '</table>', 13 - $this->renderChildren()); 14 + '</table>'; 14 15 } 15 16 16 17 }

+4 -4

src/view/layout/AphrontMiniPanelView.php

··· 3 3 final class AphrontMiniPanelView extends AphrontView { 4 4 5 5 public function render() { 6 - return phutil_tag( 7 - 'div', 8 - array('class' => 'aphront-mini-panel-view'), 9 - $this->renderChildren()); 6 + return 7 + '<div class="aphront-mini-panel-view">'. 8 + $this->renderChildren(). 9 + '</div>'; 10 10 } 11 11 12 12 }

+12 -13

src/view/layout/AphrontPanelView.php

··· 63 63 64 64 public function render() { 65 65 if ($this->header !== null) { 66 - $header = phutil_tag('h1', array(), $this->header); 66 + $header = '<h1>'.$this->header.'</h1>'; 67 67 } else { 68 68 $header = null; 69 69 } ··· 79 79 80 80 $buttons = null; 81 81 if ($this->buttons) { 82 - $buttons = hsprintf( 83 - '<div class="aphront-panel-view-buttons">%s</div>', 84 - phutil_implode_html(" ", $this->buttons)); 82 + $buttons = 83 + '<div class="aphront-panel-view-buttons">'. 84 + implode(" ", $this->buttons). 85 + '</div>'; 85 86 } 86 - $header_elements = hsprintf( 87 - '<div class="aphront-panel-header">%s%s%s</div>', 88 - $buttons, 89 - $header, 90 - $caption); 91 - 92 - $table = phutil_implode_html('', $this->renderChildren()); 87 + $header_elements = 88 + '<div class="aphront-panel-header">'. 89 + $buttons.$header.$caption. 90 + '</div>'; 91 + $table = $this->renderChildren(); 93 92 94 93 require_celerity_resource('aphront-panel-view-css'); 95 94 ··· 99 98 $classes[] = 'aphront-panel-width-'.$this->width; 100 99 } 101 100 102 - return phutil_tag( 101 + return phutil_render_tag( 103 102 'div', 104 103 array( 105 104 'class' => implode(' ', $classes), 106 105 'id' => $this->id, 107 106 ), 108 - array($header_elements, $table)); 107 + $header_elements.$table); 109 108 } 110 109 111 110 }

+11 -16

src/view/layout/AphrontSideNavFilterView.php

··· 231 231 ), 232 232 ''); 233 233 234 - $local_menu = $this->renderSingleView( 234 + $local_menu = $this->renderHTMLView( 235 235 array( 236 236 $menu_background, 237 237 phutil_tag( ··· 277 277 278 278 $nav_classes = array_merge($nav_classes, $this->classes); 279 279 280 - return phutil_tag( 280 + return phutil_render_tag( 281 281 'div', 282 282 array( 283 283 'class' => implode(' ', $nav_classes), 284 284 'id' => $main_id, 285 285 ), 286 - array( 287 - $local_menu, 288 - $flex_bar, 289 - phutil_tag( 290 - 'div', 291 - array( 292 - 'class' => 'phabricator-nav-content', 293 - 'id' => $content_id, 294 - ), 295 - array( 296 - $crumbs, 297 - phutil_implode_html('', $this->renderChildren()), 298 - )) 299 - )); 286 + $local_menu. 287 + $flex_bar. 288 + phutil_render_tag( 289 + 'div', 290 + array( 291 + 'class' => 'phabricator-nav-content', 292 + 'id' => $content_id, 293 + ), 294 + $crumbs.$this->renderChildren())); 300 295 } 301 296 302 297 }

+1 -1

src/view/layout/PhabricatorActionListView.php

··· 42 42 array( 43 43 'class' => 'phabricator-action-list-view', 44 44 ), 45 - $this->renderSingleView($actions)); 45 + $this->renderHTMLView($actions)); 46 46 } 47 47 48 48

+1 -1

src/view/layout/PhabricatorAnchorView.php

··· 39 39 ), 40 40 ''); 41 41 42 - return $this->renderSingleView(array($marker, $anchor)); 42 + return $this->renderHTMLView(array($marker, $anchor)); 43 43 } 44 44 45 45 }

+2 -2

src/view/layout/PhabricatorCrumbsView.php

··· 55 55 array( 56 56 'class' => 'phabricator-crumbs-actions', 57 57 ), 58 - $this->renderSingleView($actions)); 58 + $this->renderHTMLView($actions)); 59 59 } 60 60 61 61 if ($this->crumbs) { ··· 68 68 'class' => 'phabricator-crumbs-view '. 69 69 'sprite-gradient gradient-breadcrumbs', 70 70 ), 71 - $this->renderSingleView( 71 + $this->renderHTMLView( 72 72 array( 73 73 $action_view, 74 74 $this->crumbs,

+4 -1

src/view/layout/PhabricatorFileLinkListView.php

··· 31 31 $file_links[] = $view->render(); 32 32 } 33 33 34 - return phutil_implode_html(phutil_tag('br'), $file_links); 34 + return $this->renderHTMLView( 35 + array_interleave( 36 + phutil_tag('br'), 37 + $file_links)); 35 38 } 36 39 } 37 40

+1 -1

src/view/layout/PhabricatorHeaderView.php

··· 44 44 array( 45 45 'class' => 'phabricator-header-tags', 46 46 ), 47 - $this->renderSingleView($this->tags)); 47 + $this->renderHTMLView($this->tags)); 48 48 } 49 49 50 50 return phutil_tag(

+2 -2

src/view/layout/PhabricatorMenuItemView.php

··· 117 117 $this->name.$external); 118 118 } 119 119 120 - return $this->renderSingleView( 120 + return $this->renderHTMLView( 121 121 array( 122 - $this->renderChildren(), 122 + $this->renderHTMLChildren(), 123 123 $name, 124 124 )); 125 125 }

+1 -1

src/view/layout/PhabricatorMenuView.php

··· 167 167 } 168 168 169 169 protected function getTagContent() { 170 - return $this->renderSingleView($this->items); 170 + return $this->renderHTMLView($this->items); 171 171 } 172 172 }

+3 -3

src/view/layout/PhabricatorObjectItemListView.php

··· 48 48 } 49 49 50 50 if ($this->items) { 51 - $items = $this->renderSingleView($this->items); 51 + $items = $this->renderHTMLView($this->items); 52 52 } else { 53 53 $string = nonempty($this->noDataString, pht('No data.')); 54 54 $items = id(new AphrontErrorView()) ··· 58 58 59 59 $pager = null; 60 60 if ($this->pager) { 61 - $pager = $this->renderSingleView($this->pager); 61 + $pager = $this->renderHTMLView($this->pager); 62 62 } 63 63 64 64 $classes[] = 'phabricator-object-item-list-view'; ··· 71 71 array( 72 72 'class' => implode(' ', $classes), 73 73 ), 74 - $this->renderSingleView( 74 + $this->renderHTMLView( 75 75 array( 76 76 $header, 77 77 $items,

+2 -2

src/view/layout/PhabricatorObjectItemView.php

··· 166 166 array( 167 167 'class' => 'phabricator-object-item-content', 168 168 ), 169 - $this->renderSingleView( 169 + $this->renderHTMLView( 170 170 array( 171 171 $header, 172 172 $attrs, 173 - $this->renderChildren(), 173 + $this->renderHTMLChildren(), 174 174 ))); 175 175 176 176 return phutil_tag(

+2 -2

src/view/layout/PhabricatorPinboardItemView.php

··· 55 55 'height' => $this->imageHeight, 56 56 ))); 57 57 58 - $content = $this->renderChildren(); 58 + $content = $this->renderHTMLChildren(); 59 59 if ($content) { 60 60 $content = phutil_tag( 61 61 'div', ··· 70 70 array( 71 71 'class' => 'phabricator-pinboard-item-view', 72 72 ), 73 - $this->renderSingleView( 73 + $this->renderHTMLView( 74 74 array( 75 75 $header, 76 76 $image,

+1 -1

src/view/layout/PhabricatorPinboardView.php

··· 31 31 array( 32 32 'class' => 'phabricator-pinboard-view', 33 33 ), 34 - $this->renderSingleView($this->items)); 34 + $this->renderHTMLView($this->items)); 35 35 } 36 36 37 37 }

+4 -5

src/view/layout/PhabricatorProfileHeaderView.php

··· 65 65 <tr> 66 66 <td class="profile-header-description">%s</td> 67 67 </tr> 68 - </table> 69 - %s', 68 + </table>', 70 69 $this->profileName, 71 - self::renderSingleView($this->profileActions), 70 + phutil_safe_html(self::renderSingleView($this->profileActions)), 72 71 $image, 73 - $description, 74 - phutil_implode_html('', $this->renderChildren())); 72 + $description). 73 + $this->renderChildren(); 75 74 } 76 75 }

+3 -3

src/view/layout/PhabricatorPropertyListView.php

··· 78 78 array( 79 79 'class' => 'phabricator-property-list-view', 80 80 ), 81 - $this->renderSingleView($items)); 81 + $this->renderHTMLView($items)); 82 82 } 83 83 84 84 private function renderPropertyPart(array $part) { ··· 99 99 array( 100 100 'class' => 'phabricator-property-list-value', 101 101 ), 102 - $this->renderSingleView($value)); 102 + $this->renderHTMLView($value)); 103 103 } 104 104 105 105 $list = phutil_tag( ··· 107 107 array( 108 108 'class' => 'phabricator-property-list-properties', 109 109 ), 110 - $this->renderSingleView($items)); 110 + $this->renderHTMLView($items)); 111 111 112 112 $shortcuts = null; 113 113 if ($this->hasKeyboardShortcuts) {

+11 -9

src/view/layout/PhabricatorSourceCodeView.php

··· 38 38 ), 39 39 pht('...')); 40 40 } else { 41 - $content_number = $line_number; 42 - $content_line = hsprintf("\xE2\x80\x8B%s", $line); 41 + $content_number = phutil_escape_html($line_number); 42 + $content_line = "\xE2\x80\x8B".$line; 43 43 } 44 44 45 45 // TODO: Provide nice links. 46 46 47 - $rows[] = hsprintf( 47 + $rows[] = 48 48 '<tr>'. 49 - '<th class="phabricator-source-line">%s</th>'. 50 - '<td class="phabricator-source-code">%s</td>'. 51 - '</tr>', 52 - $content_number, 53 - $content_line); 49 + '<th class="phabricator-source-line">'. 50 + $content_number. 51 + '</th>'. 52 + '<td class="phabricator-source-code">'. 53 + $content_line. 54 + '</td>'. 55 + '</tr>'; 54 56 55 57 if ($hit_limit) { 56 58 break; ··· 74 76 array( 75 77 'class' => implode(' ', $classes), 76 78 ), 77 - phutil_implode_html('', $rows))); 79 + new PhutilSafeHTML(implode('', $rows)))); 78 80 } 79 81 80 82 }

+4 -4

src/view/layout/PhabricatorTimelineEventView.php

··· 100 100 } 101 101 102 102 public function render() { 103 - $content = $this->renderChildren(); 103 + $content = $this->renderHTMLChildren(); 104 104 105 105 $title = $this->title; 106 106 if (($title === null) && $this->isEmptyContent($content)) { ··· 138 138 ), 139 139 array($title, $extra)); 140 140 141 - $title = $this->renderSingleView(array($icon, $title)); 141 + $title = $this->renderHTMLView(array($icon, $title)); 142 142 } 143 143 144 144 $wedge = phutil_tag( ··· 275 275 ->setAnchorName($this->anchor) 276 276 ->render(); 277 277 278 - $date = $this->renderSingleView( 278 + $date = $this->renderHTMLView( 279 279 array( 280 280 $anchor, 281 281 phutil_tag( ··· 296 296 array( 297 297 'class' => 'phabricator-timeline-extra', 298 298 ), 299 - phutil_implode_html(" \xC2\xB7 ", $extra)); 299 + array_interleave(" \xC2\xB7 ", $extra)); 300 300 } 301 301 302 302 return $extra;

+25 -27

src/view/layout/PhabricatorTransactionView.php

··· 58 58 $actions = $this->renderTransactionActions(); 59 59 $style = $this->renderTransactionStyle(); 60 60 $content = $this->renderTransactionContent(); 61 - $classes = implode(' ', $this->classes); 61 + $classes = phutil_escape_html(implode(' ', $this->classes)); 62 62 63 63 $transaction_id = $this->anchorName ? 'anchor-'.$this->anchorName : null; 64 64 65 - return phutil_tag( 65 + return phutil_render_tag( 66 66 'div', 67 67 array( 68 68 'class' => 'phabricator-transaction-view', 69 69 'id' => $transaction_id, 70 70 'style' => $style, 71 71 ), 72 - hsprintf( 73 - '<div class="phabricator-transaction-detail %s">'. 74 - '<div class="phabricator-transaction-header">%s%s</div>'. 75 - '%s'. 76 - '</div>', 77 - $classes, 78 - $info, 79 - $actions, 80 - $content)); 72 + '<div class="phabricator-transaction-detail '.$classes.'">'. 73 + '<div class="phabricator-transaction-header">'. 74 + $info. 75 + $actions. 76 + '</div>'. 77 + $content. 78 + '</div>'); 81 79 82 80 } 83 81 ··· 107 105 ->setAnchorName($this->anchorName) 108 106 ->render(); 109 107 110 - $info[] = hsprintf( 111 - '%s%s', 112 - $anchor, 113 - phutil_tag( 114 - 'a', 115 - array('href' => '#'.$this->anchorName), 116 - $this->anchorText)); 108 + $info[] = $anchor.phutil_tag( 109 + 'a', 110 + array( 111 + 'href' => '#'.$this->anchorName, 112 + ), 113 + $this->anchorText); 117 114 } 118 115 119 - $info = phutil_implode_html(" \xC2\xB7 ", $info); 116 + $info = implode(' · ', $info); 120 117 121 - return hsprintf( 122 - '<span class="phabricator-transaction-info">%s</span>', 123 - $info); 118 + return 119 + '<span class="phabricator-transaction-info">'. 120 + $info. 121 + '</span>'; 124 122 } 125 123 126 124 private function renderTransactionActions() { 127 - return phutil_implode_html('', $this->actions); 125 + return implode('', $this->actions); 128 126 } 129 127 130 128 private function renderTransactionStyle() { ··· 140 138 if (!$content) { 141 139 return null; 142 140 } 143 - return phutil_tag( 144 - 'div', 145 - array('class' => 'phabricator-transaction-content'), 146 - $this->renderSingleView($content)); 141 + return 142 + '<div class="phabricator-transaction-content">'. 143 + $content. 144 + '</div>'; 147 145 } 148 146 149 147 }

+16 -18

src/view/page/AphrontPageView.php

··· 22 22 } 23 23 24 24 protected function getBody() { 25 - return phutil_implode_html('', $this->renderChildren()); 25 + return $this->renderChildren(); 26 26 } 27 27 28 28 protected function getTail() { ··· 45 45 46 46 $this->willRenderPage(); 47 47 48 - $title = $this->getTitle(); 48 + $title = phutil_escape_html($this->getTitle()); 49 49 $head = $this->getHead(); 50 50 $body = $this->getBody(); 51 51 $tail = $this->getTail(); 52 52 53 53 $body_classes = $this->getBodyClasses(); 54 54 55 - $body = phutil_tag( 55 + $body = phutil_render_tag( 56 56 'body', 57 57 array( 58 58 'class' => nonempty($body_classes, null), 59 59 ), 60 - array($body, $tail)); 60 + $body.$tail); 61 61 62 - $response = hsprintf( 63 - '<!DOCTYPE html>'. 64 - '<html>'. 65 - '<head>'. 66 - '<meta charset="UTF-8" />'. 67 - '<title>%s</title>'. 68 - '%s'. 69 - '</head>'. 70 - '%s'. 71 - '</html>', 72 - $title, 73 - $head, 74 - $body); 62 + $response = <<<EOHTML 63 + <!DOCTYPE html> 64 + <html> 65 + <head> 66 + <meta charset="UTF-8" /> 67 + <title>{$title}</title> 68 + {$head} 69 + </head> 70 + {$body} 71 + </html> 75 72 76 - $response = $this->willSendResponse($response); 73 + EOHTML; 77 74 75 + $response = $this->willSendResponse($response); 78 76 return $response; 79 77 80 78 }

+6 -6

src/view/page/AphrontRequestFailureView.php

··· 13 13 final public function render() { 14 14 require_celerity_resource('aphront-request-failure-view-css'); 15 15 16 - return hsprintf( 16 + return 17 17 '<div class="aphront-request-failure-view">'. 18 18 '<div class="aphront-request-failure-head">'. 19 - '<h1>%s</h1>'. 19 + phutil_tag('h1', array(), $this->header). 20 20 '</div>'. 21 - '<div class="aphront-request-failure-body">%s</div>'. 22 - '</div>', 23 - $this->header, 24 - $this->renderChildren()); 21 + '<div class="aphront-request-failure-body">'. 22 + $this->renderChildren(). 23 + '</div>'. 24 + '</div>'; 25 25 } 26 26 27 27 }

+17 -7

src/view/page/PhabricatorBarePageView.php

··· 55 55 protected function willRenderPage() { 56 56 // We render this now to resolve static resources so they can appear in the 57 57 // document head. 58 - $this->bodyContent = phutil_implode_html('', $this->renderChildren()); 58 + $this->bodyContent = $this->renderChildren(); 59 59 } 60 60 61 61 protected function getHead() { 62 62 $framebust = null; 63 63 if (!$this->getFrameable()) { 64 - $framebust = '(top == self) || top.location.replace(self.location.href);'; 64 + $framebust = '(top != self) && top.location.replace(self.location.href);'; 65 65 } 66 66 67 67 $viewport_tag = null; ··· 78 78 79 79 $response = CelerityAPI::getStaticResourceResponse(); 80 80 81 - return hsprintf( 82 - '%s<script type="text/javascript">%s window.__DEV__=%s;</script>%s', 81 + $head = array( 83 82 $viewport_tag, 84 - $framebust, 85 - (PhabricatorEnv::getEnvConfig('phabricator.developer-mode') ? '1' : '0'), 86 - $response->renderResourcesOfType('css')); 83 + 84 + '<script type="text/javascript">'. 85 + $framebust. 86 + 'window.__DEV__='. 87 + (PhabricatorEnv::getEnvConfig('phabricator.developer-mode') 88 + ? '1' 89 + : '0'). 90 + ';'. 91 + '</script>', 92 + 93 + $response->renderResourcesOfType('css'), 94 + ); 95 + 96 + return implode("\n", $head); 87 97 } 88 98 89 99 protected function getBody() {

+20 -19

src/view/page/PhabricatorStandardPageView.php

··· 212 212 213 213 $response = CelerityAPI::getStaticResourceResponse(); 214 214 215 - return hsprintf( 216 - '%s<style type="text/css">.PhabricatorMonospaced { font: %s; }</style>%s', 215 + $head = array( 217 216 parent::getHead(), 218 - phutil_safe_html($monospaced), 219 - $response->renderSingleResource('javelin-magical-init')); 217 + '<style type="text/css">'. 218 + '.PhabricatorMonospaced { font: '.$monospaced.'; }'. 219 + '</style>', 220 + $response->renderSingleResource('javelin-magical-init'), 221 + ); 222 + 223 + return implode("\n", $head); 220 224 } 221 225 222 226 public function setGlyph($glyph) { ··· 235 239 $console = $request->getApplicationConfiguration()->getConsole(); 236 240 237 241 if ($console) { 238 - $response = PhutilSafeHTML::applyFunction( 239 - 'str_replace', 240 - hsprintf('<darkconsole />'), 242 + $response = str_replace( 243 + '<darkconsole />', 241 244 $console->render($request), 242 245 $response); 243 246 } ··· 292 295 } 293 296 294 297 return 295 - phutil_tag( 298 + phutil_render_tag( 296 299 'div', 297 300 array( 298 301 'id' => 'base-page', 299 302 'class' => 'phabricator-standard-page', 300 303 ), 301 - hsprintf( 302 - '%s%s%s'. 303 - '<div class="phabricator-standard-page-body">'. 304 - '%s%s<div style="clear: both;"></div>'. 305 - '</div>', 306 - $developer_warning, 307 - $setup_warning, 308 - $header_chrome, 309 - ($console ? hsprintf('<darkconsole />') : null), 310 - parent::getBody())); 304 + $developer_warning. 305 + $setup_warning. 306 + $header_chrome. 307 + '<div class="phabricator-standard-page-body">'. 308 + ($console ? '<darkconsole />' : null). 309 + parent::getBody(). 310 + '<div style="clear: both;"></div>'. 311 + '</div>'); 311 312 } 312 313 313 314 protected function getTail() { ··· 356 357 $response->renderHTMLFooter(), 357 358 ); 358 359 359 - return phutil_implode_html("\n", $tail); 360 + return implode("\n", $tail); 360 361 } 361 362 362 363 protected function getBodyClasses() {

+1 -1

src/view/page/menu/PhabricatorMainMenuGroupView.php

···

+7 -8

src/view/page/menu/PhabricatorMainMenuSearchView.php

···

+7 -10

src/view/page/menu/PhabricatorMainMenuView.php

············

Configure Feed

Configure Feed