Return safe HTML from all render()

Summary:
This is pretty brutal and it adds some `phutil_safe_html()`.
But it is a big step in the right direction.

Test Plan: None.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T2432

Differential Revision: https://secure.phabricator.com/D4905

Author: vrana

src/aphront/response/Aphront403Response.php

@@ -26,7 +26,7 @@ public function buildResponseString() {
     }
     $failure = new AphrontRequestFailureView();
     $failure->setHeader('403 Forbidden');
-    $failure->appendChild('<p>'.$forbidden_text.'</p>');
+    $failure->appendChild(phutil_tag('p', array(), $forbidden_text));
 
     $view = new PhabricatorStandardPageView();
     $view->setTitle('403 Forbidden');

src/aphront/response/Aphront404Response.php

@@ -12,7 +12,8 @@ public function getHTTPResponseCode() {
   public function buildResponseString() {
     $failure = new AphrontRequestFailureView();
     $failure->setHeader('404 Not Found');
-    $failure->appendChild('<p>The page you requested was not found.</p>');
+    $failure->appendChild(phutil_tag('p', array(), pht(
+      'The page you requested was not found.')));
 
     $view = new PhabricatorStandardPageView();
     $view->setTitle('404 Not Found');

src/applications/auth/controller/PhabricatorDisabledUserController.php

@@ -16,8 +16,8 @@ public function processRequest() {
 
     $failure_view = new AphrontRequestFailureView();
     $failure_view->setHeader(pht('Account Disabled'));
-    $failure_view->appendChild(
-      '<p>'.pht('Your account has been disabled.').'</p>');
+    $failure_view->appendChild(phutil_tag('p', array(), pht(
+      'Your account has been disabled.')));
 
     return $this->buildStandardPageResponse(
       $failure_view,

src/applications/auth/controller/PhabricatorEmailLoginController.php

@@ -98,10 +98,8 @@ public function processRequest() {
 
           $view = new AphrontRequestFailureView();
           $view->setHeader(pht('Check Your Email'));
-          $view->appendChild(
-            '<p>'.pht(
-              'An email has been sent with a link you can use to login.'
-            ).'</p>');
+          $view->appendChild(phutil_tag('p', array(), pht(
+              'An email has been sent with a link you can use to login.')));
           return $this->buildStandardPageResponse(
             $view,
             array(

src/applications/auth/controller/PhabricatorEmailTokenController.php

@@ -50,17 +50,16 @@ public function processRequest() {
 
       $view = new AphrontRequestFailureView();
       $view->setHeader(pht('Unable to Login'));
-      $view->appendChild(
-        '<p>'.pht('The authentication information in the link you clicked is '.
+      $view->appendChild(phutil_tag('p', array(), pht(
+        'The authentication information in the link you clicked is '.
         'invalid or out of date. Make sure you are copy-and-pasting the '.
         'entire link into your browser. You can try again, or request '.
-        'a new email.').'</p>');
-      $view->appendChild(
+        'a new email.')));
+      $view->appendChild(hsprintf(
         '<div class="aphront-failure-continue">'.
-          '<a class="button" href="/login/email/">'.
-            pht('Send Another Email').
-          '</a>'.
-        '</div>');
+          '<a class="button" href="/login/email/">%s</a>'.
+        '</div>',
+        pht('Send Another Email')));
 
       return $this->buildStandardPageResponse(
         $view,

src/applications/auth/controller/PhabricatorLoginValidateController.php

@@ -49,14 +49,16 @@ public function processRequest() {
 
       $view = new AphrontRequestFailureView();
       $view->setHeader(pht('Login Failed'));
-      $view->appendChild(
-        '<p>'.pht('Login failed:').'</p>'.
-        $list.
-        '<p>'.pht('<strong>Clear your cookies</strong> and try again.').'</p>');
-      $view->appendChild(
+      $view->appendChild(hsprintf(
+        '<p>%s</p>%s<p>%s</p>',
+        pht('Login failed:'),
+        $list,
+        pht('<strong>Clear your cookies</strong> and try again.')));
+      $view->appendChild(hsprintf(
         '<div class="aphront-failure-continue">'.
-          '<a class="button" href="/login/">'.pht('Try Again').'</a>'.
-        '</div>');
+          '<a class="button" href="/login/">%s</a>'.
+        '</div>',
+        pht('Try Again')));
       return $this->buildStandardPageResponse(
         $view,
         array(

src/applications/auth/controller/PhabricatorMustVerifyEmailController.php

@@ -41,31 +41,26 @@ public function processRequest() {
 
     $error_view = new AphrontRequestFailureView();
     $error_view->setHeader(pht('Check Your Email'));
-    $error_view->appendChild(
-      '<p>'.
-      pht('You must verify your email address to login. You should have a new '.
+    $error_view->appendChild(phutil_tag('p', array(), pht(
+      'You must verify your email address to login. You should have a new '.
       'email message from Phabricator with verification instructions in your '.
-      'inbox (%s).', phutil_tag('strong', array(), $email_address)).
-      '</p>');
-    $error_view->appendChild(
-      '<p>'.
-      pht('If you did not receive an email, you can click the button below '.
-      'to try sending another one.').
-      '</p>');
-    $error_view->appendChild(
-      '<div class="aphront-failure-continue">'.
-        phabricator_form(
-          $user,
+      'inbox (%s).', phutil_tag('strong', array(), $email_address))));
+    $error_view->appendChild(phutil_tag('p', array(), pht(
+      'If you did not receive an email, you can click the button below '.
+      'to try sending another one.')));
+    $error_view->appendChild(hsprintf(
+      '<div class="aphront-failure-continue">%s</div>',
+      phabricator_form(
+        $user,
+        array(
+          'action' => '/login/mustverify/',
+          'method' => 'POST',
+        ),
+        phutil_tag(
+          'button',
           array(
-            'action' => '/login/mustverify/',
-            'method' => 'POST',
           ),
-          phutil_tag(
-            'button',
-            array(
-            ),
-            pht('Send Another Email'))).
-      '</div>');
+          pht('Send Another Email')))));
 
 
     return $this->buildApplicationPage(

src/applications/auth/view/PhabricatorOAuthFailureView.php

@@ -77,11 +77,12 @@ public function render() {
         $provider_name);
     }
 
-    $view->appendChild(
+    $view->appendChild(hsprintf(
       '<div class="aphront-failure-continue">'.
-        $diagnose.
-        '<a href="/login/" class="button">'.pht('Continue').'</a>'.
-      '</div>');
+        '%s<a href="/login/" class="button">%s</a>'.
+      '</div>',
+      $diagnose,
+      pht('Continue')));
 
     return $view->render();
   }

src/applications/calendar/view/AphrontCalendarMonthView.php

@@ -48,9 +48,10 @@ public function render() {
 
     $markup = array();
 
-    $empty_box =
-      '<div class="aphront-calendar-day aphront-calendar-empty">'.
-      '</div>';
+    $empty_box = phutil_tag(
+      'div',
+      array('class' => 'aphront-calendar-day aphront-calendar-empty'),
+      '');
 
     for ($ii = 0; $ii < $empty; $ii++) {
       $markup[] = $empty_box;
@@ -79,9 +80,10 @@ public function render() {
       } else {
         $show_events = array_fill_keys(
           array_keys($show_events),
-          '<div class="aphront-calendar-event aphront-calendar-event-empty">'.
-            '&nbsp;'.
-          '</div>');
+          hsprintf(
+            '<div class="aphront-calendar-event aphront-calendar-event-empty">'.
+              '&nbsp;'.
+            '</div>'));
       }
 
       foreach ($events as $event) {
@@ -110,31 +112,32 @@ public function render() {
           $name);
       }
 
-      $markup[] =
-        '<div class="'.$class.'">'.
-          '<div class="aphront-calendar-date-number">'.
-            $day_number.
-          '</div>'.
-          $holiday_markup.
-          implode("\n", $show_events).
-        '</div>';
+      $markup[] = hsprintf(
+        '<div class="%s">'.
+          '<div class="aphront-calendar-date-number">%s</div>'.
+          '%s%s'.
+        '</div>',
+        $class,
+        $day_number,
+        $holiday_markup,
+        phutil_implode_html("\n", $show_events));
     }
 
     $table = array();
     $rows = array_chunk($markup, 7);
     foreach ($rows as $row) {
-      $table[] = '<tr>';
+      $table[] = hsprintf('<tr>');
       while (count($row) < 7) {
         $row[] = $empty_box;
       }
       foreach ($row as $cell) {
-        $table[] = '<td>'.$cell.'</td>';
+        $table[] = phutil_tag('p', array(), $cell);
       }
-      $table[] = '</tr>';
+      $table[] = hsprintf('</tr>');
     }
-    $table =
+    $table = hsprintf(
       '<table class="aphront-calendar-view">'.
-        $this->renderCalendarHeader($first).
+       '%s'.
        '<tr class="aphront-calendar-day-of-week-header">'.
           '<th>Sun</th>'.
           '<th>Mon</th>'.
@@ -144,8 +147,10 @@ public function render() {
           '<th>Fri</th>'.
           '<th>Sat</th>'.
         '</tr>'.
-        implode("\n", $table).
-      '</table>';
+        '%s'.
+      '</table>',
+      $this->renderCalendarHeader($first),
+      phutil_implode_html("\n", $table));
 
     return $table;
   }
@@ -176,16 +181,15 @@ private function renderCalendarHeader(DateTime $date) {
         "\xE2\x86\x92"
       );
 
-      $left_th = '<th>'.$prev_link.'</th>';
-      $right_th = '<th>'.$next_link.'</th>';
+      $left_th = phutil_tag('th', array(), $prev_link);
+      $right_th = phutil_tag('th', array(), $next_link);
     }
 
-    return
-      '<tr class="aphront-calendar-month-year-header">'.
-        $left_th.
-        '<th colspan="'.$colspan.'">'.$date->format('F Y').'</th>'.
-        $right_th.
-      '</tr>';
+    return hsprintf(
+      '<tr class="aphront-calendar-month-year-header">%s%s%s</tr>',
+      $left_th,
+      phutil_tag('th', array('colspan' => $colspan), $date->format('F Y')),
+      $right_th);
   }
 
   private function getNextYearAndMonth() {

src/applications/differential/controller/DifferentialRevisionViewController.php

@@ -386,14 +386,15 @@ public function processRequest() {
 
     $page_pane = id(new DifferentialPrimaryPaneView())
       ->setID($pane_id)
-      ->appendChild(
-        $comment_view->render().
-        $diff_history->render().
-        $warning.
-        $local_view->render().
-        $toc_view->render().
-        $other_view.
-        $changeset_view->render());
+      ->appendChild(array(
+        $comment_view->render(),
+        $diff_history->render(),
+        $warning,
+        $local_view->render(),
+        $toc_view->render(),
+        $other_view,
+        $changeset_view->render(),
+      ));
     if ($comment_form) {
       $page_pane->appendChild($comment_form->render());
     }
@@ -857,13 +858,12 @@ private function renderOtherRevisions(array $revisions) {
     $handles = $this->loadViewerHandles($phids);
     $view->setHandles($handles);
 
-    return
+    return hsprintf(
+      '%s<div class="differential-panel">%s</div>',
       id(new PhabricatorHeaderView())
         ->setHeader(pht('Open Revisions Affecting These Files'))
-        ->render().
-      '<div class="differential-panel">'.
-        $view->render().
-      '</div>';
+        ->render(),
+      $view->render());
   }
 
   /**