Page MenuHomePhabricator

Make qsprintf() return an object, not a string, to support %P and hardening of %Q
ClosedPublic

Authored by epriestley on Nov 7 2018, 12:23 AM.
Tags
None
Referenced Files
F15540331: D19781.id.diff
Fri, Apr 25, 7:10 AM
F15538573: D19781.diff
Thu, Apr 24, 8:05 PM
F15507431: D19781.diff
Tue, Apr 15, 7:22 PM
F15488700: D19781.diff
Fri, Apr 11, 1:51 AM
F15449367: D19781.id.diff
Fri, Mar 28, 9:45 AM
F15444567: D19781.diff
Mar 27 2025, 10:08 AM
F15434601: D19781.id47284.diff
Mar 25 2025, 4:37 AM
F15404342: D19781.id47247.diff
Mar 18 2025, 7:16 AM
Subscribers
None

Details

Summary

Ref T13217. Ref T13216. Previously, we changed csprintf() to return an object instead of a string to support %P for passwords. Prepare for a %P for qsprintf(...) too. T13217 discusses general plans here, although %P, %LA, %LO, and %LQ are not implemented yet.

This may be a little rocky, but the csprintf() change was generally fairly straightforward so I have reasonably high hopes about this one not being too terribly painful.

Test Plan

Loaded a Phabricator page -- which now generates hundreds of "unsafe query construction" errors, but still works.

Diff Detail

Repository
rPHU libphutil
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

amckinley added inline comments.
src/xsprintf/qsprintf.php
200

Worth adding a "TODO" here to clean up later? Or is the conversion for this going to be effectively endless?

This revision is now accepted and ready to land.Nov 7 2018, 8:27 PM