Fix an XSS issue where Diffusion files exceeding the highlighting byte limit were not properly escaped

epriestley · epriestley · commit 498cb5c09637 · 2016-07-02T05:17:05.000-07:00
Fixes T11257.

Auditors: chad
diff --git a/src/applications/diffusion/controller/DiffusionBrowseController.php b/src/applications/diffusion/controller/DiffusionBrowseController.php
@@ -682,17 +682,21 @@ private function buildCorpus(
         $blame_commits,
         $show_blame);
     } else {
-      if ($can_highlight) {
-        require_celerity_resource('syntax-highlighting-css');
+      require_celerity_resource('syntax-highlighting-css');
 
+      if (!$can_highlight) {
         $highlighted = PhabricatorSyntaxHighlighter::highlightWithFilename(
           $path,
           $file_corpus);
-        $lines = phutil_split_lines($highlighted);
       } else {
-        $lines = phutil_split_lines($file_corpus);
+        // Highlight as plain text to escape the content properly.
+        $highlighted = PhabricatorSyntaxHighlighter::highlightWithLanguage(
+          'txt',
+          $file_corpus);
       }
 
+      $lines = phutil_split_lines($highlighted);
+
       $rows = $this->buildDisplayRows(
         $lines,
         $blame_list,
