Escape result of PhabricatorOAuthProvider::getProviderName()

Test Plan: /settings/page/facebook/

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1556

src/applications/auth/controller/login/PhabricatorLoginController.php

@@ -198,14 +198,16 @@ public function processRequest() {
 
       if ($provider->isProviderRegistrationEnabled()) {
         $title = "Login or Register with {$provider_name}";
-        $body = "Login or register for Phabricator using your ".
-                "{$provider_name} account.";
+        $body = 'Login or register for Phabricator using your '.
+                phutil_escape_html($provider_name).' account.';
         $button = "Login or Register with {$provider_name}";
       } else {
         $title = "Login with {$provider_name}";
-        $body = "Login to your existing Phabricator account using your ".
-                "{$provider_name} account.<br /><br /><strong>You can not use ".
-                "{$provider_name} to register a new account.</strong>";
+        $body = 'Login to your existing Phabricator account using your '.
+                phutil_escape_html($provider_name).' account.<br /><br />'.
+                '<strong>You can not use '.
+                phutil_escape_html($provider_name).' to register a new '.
+                'account.</strong>';
         $button = "Login with {$provider_name}";
       }
 

src/applications/auth/controller/login/__init__.php

@@ -21,6 +21,7 @@
 phutil_require_module('phabricator', 'view/form/error');
 phutil_require_module('phabricator', 'view/layout/panel');
 
+phutil_require_module('phutil', 'markup');
 phutil_require_module('phutil', 'parser/uri');
 phutil_require_module('phutil', 'utils');
 

src/applications/auth/controller/oauth/PhabricatorOAuthLoginController.php

@@ -41,7 +41,7 @@ public function processRequest() {
       return new Aphront400Response();
     }
 
-    $provider_name = $provider->getProviderName();
+    $provider_name = phutil_escape_html($provider->getProviderName());
     $provider_key = $provider->getProviderKey();
 
     $request = $this->getRequest();
@@ -113,7 +113,7 @@ public function processRequest() {
       if (!$request->isDialogFormPost()) {
         $dialog = new AphrontDialogView();
         $dialog->setUser($current_user);
-        $dialog->setTitle('Link '.$provider_name.' Account');
+        $dialog->setTitle('Link '.$provider->getProviderName().' Account');
         $dialog->appendChild(
           '<p>Link your '.$provider_name.' account to your Phabricator '.
           'account?</p>');
@@ -184,7 +184,8 @@ public function processRequest() {
     if (!$provider->isProviderRegistrationEnabled()) {
       $dialog = new AphrontDialogView();
       $dialog->setUser($current_user);
-      $dialog->setTitle('No Account Registration With '.$provider_name);
+      $dialog->setTitle('No Account Registration With '.
+        $provider->getProviderName());
       $dialog->appendChild(
         '<p>You can not register a new account using '.$provider_name.'; '.
         'you can only use your '.$provider_name.' account to log into an '.

src/applications/auth/controller/oauth/__init__.php

@@ -18,6 +18,7 @@
 phutil_require_module('phabricator', 'infrastructure/env');
 phutil_require_module('phabricator', 'view/dialog');
 
+phutil_require_module('phutil', 'markup');
 phutil_require_module('phutil', 'parser/uri');
 phutil_require_module('phutil', 'symbols');
 phutil_require_module('phutil', 'utils');

src/applications/auth/controller/unlink/PhabricatorOAuthUnlinkController.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright 2011 Facebook, Inc.
+ * Copyright 2012 Facebook, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,7 +35,6 @@ public function processRequest() {
         "You may not unlink accounts from this OAuth provider.");
     }
 
-    $provider_name = $provider->getProviderName();
     $provider_key = $provider->getProviderKey();
 
     $oauth_info = id(new PhabricatorUserOAuthInfo())->loadOneWhere(

src/applications/auth/view/oauthfailure/PhabricatorOAuthFailureView.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright 2011 Facebook, Inc.
+ * Copyright 2012 Facebook, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,12 +34,12 @@ public function setOAuthProvider($provider) {
   public function render() {
     $request = $this->request;
     $provider = $this->provider;
-    $provider_name = $provider->getProviderName();
+    $provider_name = phutil_escape_html($provider->getProviderName());
 
     $diagnose = null;
 
     $view = new AphrontRequestFailureView();
-    $view->setHeader($provider_name.' Auth Failed');
+    $view->setHeader($provider->getProviderName().' Auth Failed');
     if ($this->request) {
       $view->appendChild(
         '<p>'.

src/applications/people/controller/settings/panels/oauth/PhabricatorUserOAuthSettingsPanelController.php

@@ -52,9 +52,9 @@ public function processRequest() {
       $form
         ->appendChild(
           '<p class="aphront-form-instructions">There is currently no '.
-          $provider_name.' account linked to your Phabricator account. You '.
-          'can link an account, which will allow you to use it to log into '.
-          'Phabricator.</p>');
+          phutil_escape_html($provider_name).' account linked to your '.
+          'Phabricator account. You can link an account, which will allow you '.
+          'to use it to log into Phabricator.</p>');
 
       $auth_uri = $provider->getAuthURI();
       $client_id = $provider->getClientID();
@@ -80,8 +80,9 @@ public function processRequest() {
       $form
         ->appendChild(
           '<p class="aphront-form-instructions">Your account is linked with '.
-          'a '.$provider_name.' account. You may use your '.$provider_name.' '.
-          'credentials to log into Phabricator.</p>')
+          'a '.phutil_escape_html($provider_name).' account. You may use your '.
+          phutil_escape_html($provider_name).' credentials to log into '.
+          'Phabricator.</p>')
         ->appendChild(
           id(new AphrontFormStaticControl())
             ->setLabel($provider_name.' ID')
@@ -102,8 +103,9 @@ public function processRequest() {
           ->setUser($user)
           ->appendChild(
             '<p class="aphront-form-instructions">You may unlink this account '.
-            'from your '.$provider_name.' account. This will prevent you from '.
-            'logging in with your '.$provider_name.' credentials.</p>')
+            'from your '.phutil_escape_html($provider_name).' account. This '.
+            'will prevent you from logging in with your '.
+            phutil_escape_html($provider_name).' credentials.</p>')
           ->appendChild(
             id(new AphrontFormSubmitControl())
               ->addCancelButton('/oauth/'.$provider_key.'/unlink/', $unlink));

src/applications/people/controller/settings/panels/oauth/__init__.php

@@ -15,6 +15,7 @@
 phutil_require_module('phabricator', 'view/null');
 phutil_require_module('phabricator', 'view/utils');
 
+phutil_require_module('phutil', 'markup');
 phutil_require_module('phutil', 'utils');