@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Added `-` to the whitelist for CSS rules
Summary: Fixes T11567. This way people can use things like `sans-serif` and `-webkit-small-control` for their "monospaced" font
Test Plan:
I added the hyphen to the regex then was able to set my Monospaced Font to be anything with a hyphen in it.
I also tried to break it pretty extensively, but couldn't find anything that would let me write malicious CSS or JS.
Reviewers: #blessed_reviewers, epriestley
Reviewed By: #blessed_reviewers, epriestley
Subscribers: epriestley, yelirekim
Maniphest Tasks: T11567
Differential Revision: https://secure.phabricator.com/D16519
+3
-3
+3
-3
src/applications/settings/setting/PhabricatorMonospacedFontSetting.php
+3
-3
src/applications/settings/setting/PhabricatorMonospacedFontSetting.php
···
34
34
throw new Exception(
35
35
pht(
36
36
'Monospaced font value "%s" is unsafe. You may only enter '.
37
-
'letters, numbers, spaces, commas, periods, forward slashes '.
38
-
'and double quotes.',
37
+
'letters, numbers, spaces, commas, periods, hyphens, '.
38
+
'forward slashes, and double quotes',
39
39
$value));
40
40
}
41
41
}
42
42
43
43
public static function filterMonospacedCSSRule($monospaced) {
44
44
// Prevent the user from doing dangerous things.
45
-
return preg_replace('([^a-z0-9 ,"./]+)i', '', $monospaced);
45
+
return preg_replace('([^a-z0-9 ,"./-]+)i', '', $monospaced);
46
46
}
47
47
48
48
}