Page MenuHomePhabricator

Allow dashes in monospace font preferences
Closed, ResolvedPublic

Description

Currently the monospaced font setting in user preferences doesn't allow dashes. This prevents valid values (such as Inconsolata-dz) and the CSS generic font-family sans-serif (admittedly a bizarre choice for monospaced font, but some prefer proportional even when the monospaced makes sense).

Reproduction:

  • Go to Personal or Global Display Preferences
  • Enter 13px sans-serif as the Monospaced Font
  • Click Save Changes

Anticipated results:

  • Monospaced font is changed to sans-serif

Actual results:

  • Error stating Monospaced font value "13px sans-serif" is unsafe. You may only enter letters, numbers, spaces, commas, periods, forward slashes and double quotes.

Version:
phabricator 2201c65eb73fb99b8625bea45c273d262f2c289f (Tue, Aug 23)
arcanist 89e8b48523844cc3eff8b775f8fae49e85f8fc22 (Fri, Aug 19)
phutil 237549280f08feb8852857b1d109dfb0aba345f0 (Mon, Aug 22)

Event Timeline

I believe this is fine; I can't immediately come up with an attack using -.

avivey renamed this task from Allow dashes in monospace font to Allow dashes in monospace font preferences.Aug 31 2016, 5:52 PM
avivey updated the task description. (Show Details)
epriestley edited projects, added Contributor Onboarding; removed Bug Report.
  • Try to come up with a way that - can do something dangerous when injected into a CSS rule.
    • See D7274#47131 for a template of how to attack this.
    • If you can come up with any attacks, don't implement this.
  • Adjust the regular expression in PhabricatorMonospacedFontSetting::filterMonospacedCSSRule() to include -.
  • Adjust the error text in PhabricatorMonospacedFontSetting->validateTransactionValue() to say "..., hyphens, ..." or similar.
epriestley moved this task from Backlog to Basic on the Contributor Onboarding board.