Minor, fix XSS in task description change notifications.

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork

+14 -25

1 changed file

expand all

src

applications

feed

story

PhabricatorFeedStoryManiphest.php

+14 -25

src/applications/feed/story/PhabricatorFeedStoryManiphest.php

··· 26 26 $this->getStoryData()->getAuthorPHID(), 27 27 $data->getValue('taskPHID'), 28 28 $data->getValue('ownerPHID'), 29 - )); 29 + )); 30 30 } 31 31 32 32 public function getRequiredObjectPHIDs() { 33 33 return array( 34 34 $this->getStoryData()->getAuthorPHID(), 35 - ); 35 + ); 36 36 } 37 37 38 38 public function renderView() { ··· 78 78 } 79 79 80 80 private function getLineForData($data) { 81 - $actor_phid = $data->getAuthorPHID(); 82 - $owner_phid = $data->getValue('ownerPHID'); 83 - $task_phid = $data->getValue('taskPHID'); 84 81 $action = $data->getValue('action'); 85 - $description = $data->getValue('description'); 86 - $comments = phutil_escape_html( 87 - phutil_utf8_shorten( 88 - $data->getValue('comments'), 89 - 140)); 90 82 83 + $actor_phid = $data->getAuthorPHID(); 91 84 $actor_link = $this->linkTo($actor_phid); 85 + 86 + $task_phid = $data->getValue('taskPHID'); 92 87 $task_link = $this->linkTo($task_phid); 88 + 89 + $owner_phid = $data->getValue('ownerPHID'); 93 90 $owner_link = $this->linkTo($owner_phid); 94 91 95 92 $verb = ManiphestAction::getActionPastTenseVerb($action); 96 93 97 - if (($action == ManiphestAction::ACTION_ASSIGN 98 - || $action == ManiphestAction::ACTION_REASSIGN) 99 - && !$owner_phid) { 100 - //double assignment since the action is diff in this case 101 - $verb = $action = 'placed up for grabs'; 102 - } 103 - $one_line = "{$actor_link} {$verb} {$task_link}"; 104 - 105 94 switch ($action) { 106 95 case ManiphestAction::ACTION_ASSIGN: 107 96 case ManiphestAction::ACTION_REASSIGN: 108 - $one_line .= " to {$owner_link}"; 97 + if ($owner_phid) { 98 + $one_line = "{$actor_link} {$verb} to {$owner_link}"; 99 + } else { 100 + $one_line = "{$actor_link} placed {$task_link} up for grabs"; 101 + } 109 102 break; 110 - case ManiphestAction::ACTION_DESCRIPTION: 111 - $one_line .= " to {$description}"; 103 + default: 104 + $one_line = "{$actor_link} {$verb} {$task_link}"; 112 105 break; 113 - } 114 - 115 - if ($comments) { 116 - $one_line .= " \"{$comments}\""; 117 106 } 118 107 119 108 return $one_line;

Configure Feed

Configure Feed