Page MenuHomePhabricator

Write search bolding in a way which is certainly HTML-safe
ClosedPublic

Authored by epriestley on Apr 25 2014, 7:20 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Jan 10, 6:56 AM
Unknown Object (File)
Thu, Jan 2, 6:17 AM
Unknown Object (File)
Nov 20 2024, 6:34 PM
Unknown Object (File)
Nov 9 2024, 5:32 PM
Unknown Object (File)
Nov 9 2024, 5:31 PM
Unknown Object (File)
Nov 9 2024, 5:31 PM
Unknown Object (File)
Nov 9 2024, 5:31 PM
Unknown Object (File)
Nov 6 2024, 12:41 AM

Details

Summary

This algorithm is tricky, and uses phutil_safe_html() directly, which makes it potentially unsafe.

In particular, D8859 fixes a bug with it which caused it to produce non-utf8 output. This doesn't guarantee it's a security problem, but does make it suspicious.

I don't actually see a way to break it, but rewrite it so that it's absolutely bulletproof and does not need to call phutil_safe_html().

Test Plan

Screen_Shot_2014-04-25_at_12.17.32_PM.png (1×1 px, 166 KB)

@rugabarbo, if you have a chance, can you check if this still works for you?

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley retitled this revision from to Write search bolding in a way which is certainly HTML-safe.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a subscriber: rugabarbo.

@epriestley, now I have no access to iMac, where I found bug D8859 (it appeared only for Mac OS X phabricator instance).
I get access to it only two days later :-(

If you can wait I will apply this patch for Mac OS X phabricator two days later...

Now I only have a laptop with "Ubuntu 14.04 LTS".
But here I couldn't reproduce this bug.

Phabricator instance on ubuntu works fine without D8859.
And it's magic for me.

btrahan edited edge metadata.

Seems unit testable if you anticipate more changes / swapping around implementations.

This revision is now accepted and ready to land.Apr 26 2014, 2:31 AM
epriestley updated this revision to Diff 21043.

Closed by commit rP88ae24659396 (authored by @epriestley).

(I'm going with a gut feeling that unit tests on this probably won't pay for themselves, but I'll write some to repent if this gets touched again.)

@epriestley, I checked it for Mac OS X Phabricator installation (where I found this bug first time).
Now it works fine (search results aren't corrupted any more and bolding works fine too).

Thanks!