Convert setCaption() to safe HTML

Test Plan: /settings/panel/display/

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T2432

Differential Revision: https://secure.phabricator.com/D4824

Author: vrana

src/applications/auth/controller/PhabricatorLoginController.php

@@ -177,9 +177,9 @@ public function processRequest() {
           id(new AphrontFormPasswordControl())
             ->setLabel(pht('Password'))
             ->setName('password')
-            ->setCaption(
-              '<a href="/login/email/">'.
-                pht('Forgot your password? / Email Login').'</a>'));
+            ->setCaption(hsprintf(
+              '<a href="/login/email/">%s</a>',
+              pht('Forgot your password? / Email Login'))));
 
       if ($require_captcha) {
         $form->appendChild(

src/applications/conduit/controller/PhabricatorConduitConsoleController.php

@@ -97,7 +97,7 @@ public function processRequest() {
         id(new AphrontFormTextControl())
           ->setLabel($param)
           ->setName("params[{$param}]")
-          ->setCaption(phutil_escape_html($desc)));
+          ->setCaption($desc));
     }
 
     $form

src/applications/countdown/controller/PhabricatorCountdownEditController.php

@@ -97,11 +97,11 @@ public function processRequest() {
           ->setLabel('End date')
           ->setValue($display_datepoint)
           ->setName('datepoint')
-          ->setCaption(
+          ->setCaption(hsprintf(
             'Examples: '.
             '<tt>2011-12-25</tt> or '.
             '<tt>3 hours</tt> or '.
-            '<tt>June 8 2011, 5 PM</tt>.'))
+            '<tt>June 8 2011, 5 PM</tt>.')))
       ->appendChild(
         id(new AphrontFormSubmitControl())
           ->addCancelButton('/countdown/')

src/applications/directory/controller/PhabricatorDirectoryMainController.php

@@ -149,9 +149,9 @@ private function buildNeedsTriagePanel(array $projects) {
 
     $panel = new AphrontPanelView();
     $panel->setHeader('Needs Triage');
-    $panel->setCaption(
+    $panel->setCaption(hsprintf(
       'Open tasks with "Needs Triage" priority in '.
-      '<a href="/project/">projects you are a member of</a>.');
+      '<a href="/project/">projects you are a member of</a>.'));
 
     $panel->addButton(
       phutil_tag(

src/applications/files/controller/PhabricatorFileUploadController.php

@@ -99,7 +99,7 @@ private function renderUploadLimit() {
     $limit = phabricator_parse_bytes($limit);
     if ($limit) {
       $formatted = phabricator_format_bytes($limit);
-      return 'Maximum file size: '.phutil_escape_html($formatted);
+      return 'Maximum file size: '.$formatted;
     }
 
     $doc_href = PhabricatorEnv::getDocLink(
@@ -112,7 +112,7 @@ private function renderUploadLimit() {
       ),
       'Configuring File Upload Limits');
 
-    return 'Upload limit is not configured, see '.$doc_link.'.';
+    return hsprintf('Upload limit is not configured, see %s.', $doc_link);
   }
 
 }

src/applications/maniphest/controller/ManiphestReportController.php

@@ -245,12 +245,13 @@ public function renderBurn() {
 
     if ($handle) {
       $header = "Task Burn Rate for Project ".$handle->renderLink();
-      $caption = "<p>NOTE: This table reflects tasks <em>currently</em> in ".
-                 "the project. If a task was opened in the past but added to ".
-                 "the project recently, it is counted on the day it was ".
-                 "opened, not the day it was categorized. If a task was part ".
-                 "of this project in the past but no longer is, it is not ".
-                 "counted at all.</p>";
+      $caption = hsprintf(
+        "<p>NOTE: This table reflects tasks <em>currently</em> in ".
+        "the project. If a task was opened in the past but added to ".
+        "the project recently, it is counted on the day it was ".
+        "opened, not the day it was categorized. If a task was part ".
+        "of this project in the past but no longer is, it is not ".
+        "counted at all.</p>");
     } else {
       $header = "Task Burn Rate for All Tasks";
       $caption = null;

src/applications/maniphest/controller/ManiphestTaskEditController.php

@@ -478,8 +478,9 @@ public function processRequest() {
     $email_create = PhabricatorEnv::getEnvConfig(
       'metamta.maniphest.public-create-email');
     if (!$task->getID() && $email_create) {
-      $email_hint = pht('You can also create tasks by sending an email to: ').
-                    '<tt>'.phutil_escape_html($email_create).'</tt>';
+      $email_hint = pht(
+        'You can also create tasks by sending an email to: %s',
+        phutil_tag('tt', array(), $email_create));
       $description_control->setCaption($email_hint);
     }
 

src/applications/metamta/controller/PhabricatorMetaMTAReceiveController.php

@@ -57,7 +57,10 @@ public function processRequest() {
         id(new AphrontFormTextControl())
           ->setLabel(pht('To'))
           ->setName('obj')
-          ->setCaption(pht('e.g. <tt>D1234</tt> or <tt>T1234</tt>')))
+          ->setCaption(pht(
+            'e.g. %s or %s',
+            phutil_tag('tt', array(), 'D1234'),
+            phutil_tag('tt', array(), 'T1234'))))
       ->appendChild(
         id(new AphrontFormTextAreaControl())
           ->setLabel(pht('Body'))

src/applications/metamta/controller/PhabricatorMetaMTASendController.php

@@ -116,8 +116,10 @@ public function processRequest() {
         id(new AphrontFormTextControl())
           ->setLabel(pht('Mail Tags'))
           ->setName('mailtags')
-          ->setCaption(
-            pht('Example:').' <tt>differential-cc, differential-comment</tt>'))
+          ->setCaption(pht(
+            'Example: %s',
+            phutil_tag('tt', array(), 'differential-cc, differential-comment'))
+          ))
       ->appendChild(
         id(new AphrontFormDragAndDropUploadControl())
           ->setLabel(pht('Attach Files'))
@@ -144,8 +146,7 @@ public function processRequest() {
             '1',
             pht('Send immediately. (Do not enqueue for daemons.)'),
             PhabricatorEnv::getEnvConfig('metamta.send-immediately'))
-          ->setCaption(pht('Daemons can be started with %s.', $phdlink))
-          )
+          ->setCaption(pht('Daemons can be started with %s.', $phdlink)))
       ->appendChild(
         id(new AphrontFormSubmitControl())
           ->setValue(pht('Send Mail')));

src/applications/phame/controller/blog/PhameBlogEditController.php

@@ -150,8 +150,7 @@ public function processRequest() {
         ->setLabel('Custom Domain')
         ->setName('custom_domain')
         ->setValue($blog->getDomain())
-        ->setCaption('Must include at least one dot (.), e.g. '.
-        'blog.example.com')
+        ->setCaption('Must include at least one dot (.), e.g. blog.example.com')
         ->setError($e_custom_domain)
       )
       ->appendChild(

src/applications/repository/controller/PhabricatorRepositoryArcanistProjectEditController.php

@@ -83,7 +83,8 @@ public function processRequest() {
         id(new AphrontFormTextControl())
           ->setLabel('Indexed Languages')
           ->setName('symbolIndexLanguages')
-          ->setCaption('Separate with commas, for example: <tt>php, py</tt>')
+          ->setCaption(
+            hsprintf('Separate with commas, for example: <tt>php, py</tt>'))
           ->setValue($langs))
       ->appendChild(
         id(new AphrontFormTokenizerControl())

src/applications/repository/controller/PhabricatorRepositoryEditController.php

@@ -456,7 +456,8 @@ private function processTrackingRequest() {
           ->setHeight(AphrontFormTextAreaControl::HEIGHT_VERY_SHORT)
           ->setValue($repository->getDetail('ssh-key'))
           ->setError($e_ssh_key)
-          ->setCaption('Specify the entire private key, <em>or</em>...'))
+          ->setCaption(
+            hsprintf('Specify the entire private key, <em>or</em>...')))
       ->appendChild(
         id(new AphrontFormTextControl())
           ->setName('ssh-keyfile')
@@ -552,10 +553,10 @@ private function processTrackingRequest() {
             ->setName('branch-filter')
             ->setLabel('Track Only')
             ->setValue($branch_filter_str)
-            ->setCaption(
+            ->setCaption(hsprintf(
               'Optional list of branches to track. Other branches will be '.
               'completely ignored. If left empty, all branches are tracked. '.
-              'Example: <tt>master, release</tt>'));
+              'Example: <tt>master, release</tt>')));
     }
 
     $inset
@@ -651,7 +652,7 @@ private function processTrackingRequest() {
             ->setName('uuid')
             ->setLabel('UUID')
             ->setValue($repository->getUUID())
-            ->setCaption('Repository UUID from <tt>svn info</tt>.'));
+            ->setCaption(hsprintf('Repository UUID from <tt>svn info</tt>.')));
     }
 
     $form->appendChild($inset);

src/applications/settings/panel/PhabricatorSettingsPanelDisplayPreferences.php

@@ -67,7 +67,6 @@ function helloWorld() {
       'User Guide: Configuring an External Editor');
 
     $font_default = PhabricatorEnv::getEnvConfig('style.monospace');
-    $font_default = phutil_escape_html($font_default);
 
     $pref_monospaced_textareas_value = $preferences
       ->getPreference($pref_monospaced_textareas);
@@ -97,11 +96,11 @@ function helloWorld() {
         id(new AphrontFormTextControl())
         ->setLabel('Editor Link')
         ->setName($pref_editor)
-        ->setCaption(
+        ->setCaption(hsprintf(
           'Link to edit files in external editor. '.
-          '%f is replaced by filename, %l by line number, %r by repository '.
-          'callsign, %% by literal %. '.
-          "For documentation, see {$editor_doc_link}.")
+          '%%f is replaced by filename, %%l by line number, %%r by repository '.
+          'callsign, %%%% by literal %%. For documentation, see %s.',
+          $editor_doc_link))
         ->setValue($preferences->getPreference($pref_editor)))
       ->appendChild(
         id(new AphrontFormSelectControl())
@@ -116,9 +115,10 @@ function helloWorld() {
         id(new AphrontFormTextControl())
         ->setLabel('Monospaced Font')
         ->setName($pref_monospaced)
-        ->setCaption(
+        ->setCaption(hsprintf(
           'Overrides default fonts in tools like Differential.<br />'.
-          '(Default: '.$font_default.')')
+          '(Default: %s)',
+          $font_default))
         ->setValue($preferences->getPreference($pref_monospaced)))
       ->appendChild(
         id(new AphrontFormMarkupControl())

src/view/form/control/AphrontFormControl.php

@@ -140,10 +140,10 @@ final public function render() {
     }
 
     if (strlen($this->getCaption())) {
-      $caption =
-        '<div class="aphront-form-caption">'.
-          $this->getCaption().
-        '</div>';
+      $caption = phutil_tag(
+        'div',
+        array('class' => 'aphront-form-caption'),
+        $this->getCaption());
     } else {
       $caption = null;
     }

src/view/layout/AphrontPanelView.php

@@ -69,10 +69,10 @@ public function render() {
     }
 
     if ($this->caption !== null) {
-      $caption =
-        '<div class="aphront-panel-view-caption">'.
-          $this->caption.
-        '</div>';
+      $caption = phutil_tag(
+        'div',
+        array('class' => 'aphront-panel-view-caption'),
+        $this->caption);
     } else {
       $caption = null;
     }