Page MenuHomePhabricator

Make qsprintf() return an object, not a string, to support %P and hardening of %Q

Authored by epriestley on Nov 7 2018, 12:23 AM.



Ref T13217. Ref T13216. Previously, we changed csprintf() to return an object instead of a string to support %P for passwords. Prepare for a %P for qsprintf(...) too. T13217 discusses general plans here, although %P, %LA, %LO, and %LQ are not implemented yet.

This may be a little rocky, but the csprintf() change was generally fairly straightforward so I have reasonably high hopes about this one not being too terribly painful.

Test Plan

Loaded a Phabricator page -- which now generates hundreds of "unsafe query construction" errors, but still works.

Diff Detail

rPHU libphutil
Lint Not Applicable
Tests Not Applicable

Event Timeline

amckinley added inline comments.

Worth adding a "TODO" here to clean up later? Or is the conversion for this going to be effectively endless?

This revision is now accepted and ready to land.Nov 7 2018, 8:27 PM