Properly escape inline <script> · recaptime.dev/phorge@e8dd67b

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork

Properly escape inline <script>

Test Plan:
Loaded Phabricator page, checked the source code. Also:

$c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId=';
echo CelerityStaticResourceResponse::renderInlineScript(
jsprintf(
'console.log(%s); // </script>
%s',
$c_uri,
"</script><b>x</b>"));

Reviewers: epriestley, btrahan

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D5741

Jakub Vrana 13 years ago e8dd67b8 b216dc9c

+19 -10

3 changed files

expand all

src

applications

phame

view

PhamePostView.php

infrastructure

celerity

CelerityStaticResourceResponse.php

view

page

PhabricatorBarePageView.php

+2 -4

src/applications/phame/view/PhamePostView.php

··· 162 162 ''); 163 163 164 164 $c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId='.$fb_id; 165 - $fb_js = hsprintf( 166 - '<script>%s</script>', 165 + $fb_js = CelerityStaticResourceResponse::renderInlineScript( 167 166 jsprintf( 168 167 '(function(d, s, id) {'. 169 168 ' var js, fjs = d.getElementsByTagName(s)[0];'. ··· 211 210 )); 212 211 213 212 // protip - try some var disqus_developer = 1; action to test locally 214 - $disqus_js = hsprintf( 215 - '<script>%s</script>', 213 + $disqus_js = CelerityStaticResourceResponse::renderInlineScript( 216 214 jsprintf( 217 215 ' var disqus_shortname = "phabricator";'. 218 216 ' var disqus_identifier = %s;'.

+13 -3

src/infrastructure/celerity/CelerityStaticResourceResponse.php

··· 182 182 183 183 if ($data) { 184 184 $data = implode("\n", $data); 185 - return hsprintf( 186 - '<script type="text/javascript">//<![CDATA['."\n".'%s//]]></script>', 187 - phutil_safe_html($data)); 185 + return self::renderInlineScript($data); 188 186 } else { 189 187 return ''; 190 188 } 189 + } 190 + 191 + public static function renderInlineScript($data) { 192 + if (stripos($data, '</script>') !== false) { 193 + throw new Exception( 194 + 'Literal </script> is not allowed inside inline script.'); 195 + } 196 + return hsprintf( 197 + // We don't use <![CDATA[ ]]> because it is ignored by HTML parsers. We 198 + // would need to send the document with XHTML content type. 199 + '<script type="text/javascript">%s</script>', 200 + phutil_safe_html($data)); 191 201 } 192 202 193 203 public function buildAjaxResponse($payload, $error = null) {

+4 -3

src/view/page/PhabricatorBarePageView.php

··· 91 91 92 92 $response = CelerityAPI::getStaticResourceResponse(); 93 93 94 + $developer = PhabricatorEnv::getEnvConfig('phabricator.developer-mode'); 94 95 return hsprintf( 95 - '%s%s%s<script type="text/javascript">%s window.__DEV__=%s;</script>%s', 96 + '%s%s%s%s%s', 96 97 $viewport_tag, 97 98 $icon_tag, 98 99 $apple_tag, 99 - $framebust, 100 - (PhabricatorEnv::getEnvConfig('phabricator.developer-mode') ? '1' : '0'), 100 + CelerityStaticResourceResponse::renderInlineScript( 101 + $framebust.jsprintf('window.__DEV__=%d;', ($developer ? 1 : 0))), 101 102 $response->renderResourcesOfType('css')); 102 103 } 103 104

Configure Feed

Configure Feed