Convert everything to safe HTML

Summary: Sgrepped for `"=~/</"` and manually changed every HTML.

Test Plan: This doesn't work yet but it is hopefully one of the last diffs before Phabricator will be undoubtedly HTML safe.

Reviewers: epriestley

CC: aran, Korvin

Maniphest Tasks: T2432

Differential Revision: https://secure.phabricator.com/D4927

Author: vrana

src/aphront/AphrontRequest.php

@@ -9,7 +9,7 @@
 final class AphrontRequest {
 
   // NOTE: These magic request-type parameters are automatically included in
-  // certain requests (e.g., by phabricator_render_form(), JX.Request,
+  // certain requests (e.g., by phabricator_form(), JX.Request,
   // JX.Workflow, and ConduitClient) and help us figure out what sort of
   // response the client expects.
 

src/aphront/console/plugin/DarkConsoleErrorLogPlugin.php

@@ -36,7 +36,7 @@ public function renderPanel() {
     $data = $this->getData();
 
     $rows = array();
-    $details = '';
+    $details = array();
 
     foreach ($data as $index => $row) {
       $file = $row['file'];
@@ -50,7 +50,7 @@ public function renderPanel() {
         $row['str'].' at ['.basename($file).':'.$line.']');
       $rows[] = array($tag);
 
-      $details .= hsprintf(
+      $details[] = hsprintf(
         '<div class="dark-console-panel-error-details" id="row-details-%s">'.
         "%s\nStack trace:\n",
         $index,
@@ -73,28 +73,30 @@ public function renderPanel() {
           }
         }
 
-        $details .= phutil_tag(
+        $details[] = phutil_tag(
           'a',
           array(
             'href' => $href,
           ),
           $line);
-        $details .= "\n";
+        $details[] = "\n";
       }
 
-      $details .= '</div>';
+      $details[] = hsprintf('</div>');
     }
 
     $table = new AphrontTableView($rows);
     $table->setClassName('error-log');
     $table->setHeaders(array('Error'));
     $table->setNoDataString('No errors.');
 
-    return '<div>'.
-      '<div>'.$table->render().'</div>'.
-      '<pre class="PhabricatorMonospaced">'.
-      $details.'</pre>'.
-      '</div>';
+    return hsprintf(
+      '<div>'.
+        '<div>%s</div>'.
+        '<pre class="PhabricatorMonospaced">%s</pre>'.
+      '</div>',
+      $table->render(),
+      phutil_implode_html('', $details));
   }
 }
 

src/aphront/console/plugin/DarkConsoleEventPlugin.php

@@ -42,10 +42,10 @@ public function renderPanel() {
 
     $out = array();
 
-    $out[] =
+    $out[] = hsprintf(
       '<div class="dark-console-panel-header">'.
         '<h1>Registered Event Listeners</h1>'.
-      '</div>';
+      '</div>');
 
     $rows = array();
     foreach ($data['listeners'] as $listener) {
@@ -66,10 +66,10 @@ public function renderPanel() {
 
     $out[] = $table->render();
 
-    $out[] =
+    $out[] = hsprintf(
       '<div class="dark-console-panel-header">'.
         '<h1>Event Log</h1>'.
-      '</div>';
+      '</div>');
 
     $rows = array();
     foreach ($data['events'] as $event) {
@@ -93,6 +93,6 @@ public function renderPanel() {
     $out[] = $table->render();
 
 
-    return implode("\n", $out);
+    return phutil_implode_html("\n", $out);
   }
 }

src/aphront/console/plugin/DarkConsoleRequestPlugin.php

@@ -62,6 +62,6 @@ public function renderPanel() {
       $out[] = $table->render();
     }
 
-    return implode("\n", $out);
+    return phutil_implode_html("\n", $out);
   }
 }

src/aphront/console/plugin/DarkConsoleServicesPlugin.php

@@ -149,20 +149,21 @@ public function renderPanel() {
     $log = $data['log'];
     $results = array();
 
-    $results[] =
+    $results[] = hsprintf(
       '<div class="dark-console-panel-header">'.
-        phutil_tag(
-          'a',
-          array(
-            'href'  => $data['analyzeURI'],
-            'class' => $data['didAnalyze']
-              ? 'disabled button'
-              : 'green button',
-          ),
-          'Analyze Query Plans').
+        '%s'.
         '<h1>Calls to External Services</h1>'.
         '<div style="clear: both;"></div>'.
-      '</div>';
+      '</div>',
+      phutil_tag(
+        'a',
+        array(
+          'href'  => $data['analyzeURI'],
+          'class' => $data['didAnalyze']
+            ? 'disabled button'
+            : 'green button',
+        ),
+        'Analyze Query Plans'));
 
     $page_total = $data['end'] - $data['start'];
     $totals = array();
@@ -271,7 +272,7 @@ public function renderPanel() {
 
     $results[] = $table->render();
 
-    return implode("\n", $results);
+    return phutil_implode_html("\n", $results);
   }
 }
 

src/aphront/console/plugin/DarkConsoleXHProfPlugin.php

@@ -51,48 +51,52 @@ public function renderPanel() {
           'class' => 'bright-link',
         ),
         'Installation Guide');
-      return
+      return hsprintf(
         '<div class="dark-console-no-content">'.
           'The "xhprof" PHP extension is not available. Install xhprof '.
           'to enable the XHProf console plugin. You can find instructions in '.
-          'the '.$install_guide.'.'.
-        '</div>';
+          'the %s.'.
+        '</div>',
+        $install_guide);
     }
 
     $result = array();
 
-    $header =
+    $header = hsprintf(
       '<div class="dark-console-panel-header">'.
-        phutil_tag(
-          'a',
-          array(
-            'href'  => $profile_uri,
-            'class' => $run
-              ? 'disabled button'
-              : 'green button',
-          ),
-          'Profile Page').
+        '%s'.
         '<h1>XHProf Profiler</h1>'.
-      '</div>';
+      '</div>',
+      phutil_tag(
+        'a',
+        array(
+          'href'  => $profile_uri,
+          'class' => $run
+            ? 'disabled button'
+            : 'green button',
+        ),
+        'Profile Page'));
     $result[] = $header;
 
     if ($run) {
-      $result[] =
-        '<a href="/xhprof/profile/'.$run.'/" '.
+      $result[] = hsprintf(
+        '<a href="/xhprof/profile/%s/" '.
           'class="bright-link" '.
           'style="float: right; margin: 1em 2em 0 0;'.
             'font-weight: bold;" '.
           'target="_blank">Profile Permalink</a>'.
-        '<iframe src="/xhprof/profile/'.$run.'/?frame=true"></iframe>';
+        '<iframe src="/xhprof/profile/%s/?frame=true"></iframe>',
+        $run,
+        $run);
     } else {
-      $result[] =
+      $result[] = hsprintf(
         '<div class="dark-console-no-content">'.
           'Profiling was not enabled for this page. Use the button above '.
           'to enable it.'.
-        '</div>';
+        '</div>');
     }
 
-    return implode("\n", $result);
+    return phutil_implode_html("\n", $result);
   }
 
 

src/aphront/response/AphrontWebpageResponse.php

@@ -13,7 +13,7 @@ public function setContent($content) {
   }
 
   public function buildResponseString() {
-    return $this->content;
+    return hsprintf('%s', $this->content);
   }
 
 }

src/applications/auth/controller/PhabricatorEmailLoginController.php

@@ -138,8 +138,8 @@ public function processRequest() {
 
     $panel = new AphrontPanelView();
     $panel->setWidth(AphrontPanelView::WIDTH_FORM);
-    $panel->appendChild('
-      <h1>'.pht('Forgot Password / Email Login').'</h1>');
+    $panel->appendChild(phutil_tag('h1', array(), pht(
+      'Forgot Password / Email Login')));
     $panel->appendChild($email_auth);
     $panel->setNoBackground();
 

src/applications/auth/controller/PhabricatorLDAPLoginController.php

@@ -131,7 +131,7 @@ public function processRequest() {
 
     $panel = new AphrontPanelView();
     $panel->setWidth(AphrontPanelView::WIDTH_FORM);
-    $panel->appendChild('<h1>'.pht('LDAP login').'</h1>');
+    $panel->appendChild(phutil_tag('h1', array(), pht('LDAP login')));
     $panel->appendChild($ldap_form);
 
     $error_view = null;

src/applications/auth/controller/PhabricatorLoginValidateController.php

@@ -53,7 +53,9 @@ public function processRequest() {
         '<p>%s</p>%s<p>%s</p>',
         pht('Login failed:'),
         $list,
-        pht('<strong>Clear your cookies</strong> and try again.')));
+        pht(
+          '<strong>Clear your cookies</strong> and try again.',
+          hsprintf(''))));
       $view->appendChild(hsprintf(
         '<div class="aphront-failure-continue">'.
           '<a class="button" href="/login/">%s</a>'.

src/applications/auth/controller/PhabricatorOAuthDiagnosticsController.php

@@ -186,11 +186,11 @@ private function renderResults($results) {
 
     $panel_view = new AphrontPanelView();
     $panel_view->setHeader($title);
-    $panel_view->appendChild(
+    $panel_view->appendChild(hsprintf(
       '<p class="aphront-panel-instructions">These tests may be able to '.
-      'help diagnose the root cause of problems you experience with '.
-      $provider->getProviderName() .
-      ' Authentication. Reload the page to run the tests again.</p>');
+      'help diagnose the root cause of problems you experience with %s '.
+      'Authentication. Reload the page to run the tests again.</p>',
+      $provider->getProviderName()));
     $panel_view->appendChild($table_view);
 
     return $this->buildStandardPageResponse(

src/applications/base/controller/PhabricatorController.php

@@ -203,10 +203,9 @@ public function didProcessRequest($response) {
         $view = new PhabricatorStandardPageView();
         $view->setRequest($request);
         $view->setController($this);
-        $view->appendChild(
-          '<div style="padding: 2em 0;">'.
-            $response->buildResponseString().
-          '</div>');
+        $view->appendChild(hsprintf(
+          '<div style="padding: 2em 0;">%s</div>',
+          $response->buildResponseString()));
         $response = new AphrontWebpageResponse();
         $response->setContent($view->render());
         return $response;

src/applications/conduit/controller/PhabricatorConduitListController.php

@@ -59,11 +59,11 @@ public function processRequest() {
 
     $utils = new AphrontPanelView();
     $utils->setHeader('Utilities');
-    $utils->appendChild(
+    $utils->appendChild(hsprintf(
       '<ul>'.
       '<li><a href="/conduit/log/">Log</a> - Conduit Method Calls</li>'.
       '<li><a href="/conduit/token/">Token</a> - Certificate Install</li>'.
-      '</ul>');
+      '</ul>'));
     $utils->setWidth(AphrontPanelView::WIDTH_FULL);
 
     $this->setShowSideNav(false);

src/applications/config/response/PhabricatorConfigResponse.php

@@ -23,20 +23,18 @@ public function buildResponseString() {
 
     $view = $this->view->render();
 
-    $template = <<<EOTEMPLATE
-<!doctype html>
-<html>
-  <head>
-    <title>Phabricator Setup</title>
-    {$resources}
-  </head>
-  <body class="setup-fatal">
-    {$view}
-  </body>
-</html>
-EOTEMPLATE;
-
-    return $template;
+    return hsprintf(
+      '<!DOCTYPE html>'.
+      '<html>'.
+        '<head>'.
+          '<meta charset="UTF-8" />'.
+          '<title>Phabricator Setup</title>'.
+          '%s'.
+        '</head>'.
+        '<body class="setup-fatal">%s</body>'.
+      '</html>',
+      $resources,
+      $view);
   }
 
   private function buildResources() {
@@ -49,11 +47,12 @@ private function buildResources() {
 
     $resources = array();
     foreach ($css as $path) {
-      $resources[] = '<style type="text/css">';
-      $resources[] = Filesystem::readFile($webroot.'/rsrc/css/'.$path);
-      $resources[] = '</style>';
+      $resources[] = phutil_tag(
+        'style',
+        array('type' => 'text/css'),
+        Filesystem::readFile($webroot.'/rsrc/css/'.$path));
     }
-    return implode("\n", $resources);
+    return phutil_implode_html("\n", $resources);
   }
 
 

src/applications/conpherence/controller/ConpherenceViewController.php

@@ -149,7 +149,7 @@ private function renderMessagePaneContent() {
         ->setMarkupEngine($engine)
         ->render();
     }
-    $transactions = implode(' ', $rendered_transactions);
+    $transactions = phutil_implode_html(' ', $rendered_transactions);
 
     $form =
       id(new AphrontFormView())
@@ -292,7 +292,7 @@ private function renderFilesWidgetPaneContent() {
         ->setNoDataString(pht('No files attached to conpherence.'))
         ->setHeaders(array('', pht('Name')))
         ->setColumnClasses(array('', 'wide'));
-    return new PhutilSafeHTML($header->render() . $table->render());
+    return hsprintf('%s%s', $header->render(), $table->render());
   }
 
   private function renderTaskWidgetPaneContent() {
@@ -328,7 +328,7 @@ private function renderTaskWidgetPaneContent() {
         ->setColumnClasses(array('', 'wide'));
       $content[] = $table->render();
     }
-    return new PhutilSafeHTML(implode('', $content));
+    return phutil_implode_html('', $content);
   }
 
   private function renderCalendarWidgetPaneContent() {
@@ -416,7 +416,7 @@ private function renderCalendarWidgetPaneContent() {
       }
     }
 
-    return new PhutilSafeHTML(implode('', $content));
+    return phutil_implode_html('', $content);
   }
 
   private function getCalendarWidgetWeekTimestamps() {