Write search bolding in a way which is certainly HTML-safe
88ae24659396
Actions

Authored by epriestley <git@epriestley.com> on Apr 26 2014, 21:44.

Description

Write search bolding in a way which is certainly HTML-safe

Summary:
This algorithm is tricky, and uses phutil_safe_html() directly, which makes it potentially unsafe.

In particular, D8859 fixes a bug with it which caused it to produce non-utf8 output. This doesn't guarantee it's a security problem, but does make it suspicious.

I don't actually see a way to break it, but rewrite it so that it's absolutely bulletproof and does not need to call phutil_safe_html().

Test Plan:
{F147487}

@rugabarbo, if you have a chance, can you check if this still works for you?

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley, rugabarbo

Differential Revision: https://secure.phabricator.com/D8862

Details

Committed

epriestley <git@epriestley.com>

Apr 26 2014, 21:44

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH1b0d53ec650f: Fix Differential transaction strengths

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH88ae24659396: Write search bolding in a way which is certainly HTML-safe (authored by epriestley <git@epriestley.com>).Apr 26 2014, 21:44

Changes (1)

				Path
	M			src/applications/search/view/PhabricatorSearchResultView.php

rPH88ae24659396

View Options

src/applications/search/view/PhabricatorSearchResultView.php