Page MenuHomePhabricator

Allow dashes in monospace font preferences
Closed, ResolvedPublic


Currently the monospaced font setting in user preferences doesn't allow dashes. This prevents valid values (such as Inconsolata-dz) and the CSS generic font-family sans-serif (admittedly a bizarre choice for monospaced font, but some prefer proportional even when the monospaced makes sense).


  • Go to Personal or Global Display Preferences
  • Enter 13px sans-serif as the Monospaced Font
  • Click Save Changes

Anticipated results:

  • Monospaced font is changed to sans-serif

Actual results:

  • Error stating Monospaced font value "13px sans-serif" is unsafe. You may only enter letters, numbers, spaces, commas, periods, forward slashes and double quotes.

phabricator 2201c65eb73fb99b8625bea45c273d262f2c289f (Tue, Aug 23)
arcanist 89e8b48523844cc3eff8b775f8fae49e85f8fc22 (Fri, Aug 19)
phutil 237549280f08feb8852857b1d109dfb0aba345f0 (Mon, Aug 22)

Event Timeline

I believe this is fine; I can't immediately come up with an attack using -.

avivey renamed this task from Allow dashes in monospace font to Allow dashes in monospace font preferences.Aug 31 2016, 5:52 PM
avivey updated the task description. (Show Details)
epriestley edited projects, added Contributor Onboarding; removed Bug Report.
  • Try to come up with a way that - can do something dangerous when injected into a CSS rule.
    • See D7274#47131 for a template of how to attack this.
    • If you can come up with any attacks, don't implement this.
  • Adjust the regular expression in PhabricatorMonospacedFontSetting::filterMonospacedCSSRule() to include -.
  • Adjust the error text in PhabricatorMonospacedFontSetting->validateTransactionValue() to say "..., hyphens, ..." or similar.
epriestley moved this task from Backlog to Basic on the Contributor Onboarding board.