public function testRemoteURIForLink()
{
$map = array('http://example.com/' => true, 'derp://example.com/' => false, 'javascript:alert(1)' => false, 'http://127.0.0.1/' => true, 'http://169.254.169.254/latest/meta-data/hostname' => true);
foreach ($map as $uri => $expect) {
$this->assertEqual($expect, PhabricatorEnv::isValidRemoteURIForLink($uri), pht('Valid linkable remote URI: %s', $uri));
}
}
public function markupNavigation(array $matches)
{
if (!$this->isFlatText($matches[0])) {
return $matches[0];
}
$elements = ltrim($matches[1], ", \n");
$elements = explode('>', $elements);
$defaults = array('name' => null, 'type' => 'link', 'href' => null, 'icon' => null);
$sequence = array();
$parser = new PhutilSimpleOptions();
foreach ($elements as $element) {
if (strpos($element, '=') === false) {
$sequence[] = array('name' => trim($element)) + $defaults;
} else {
$sequence[] = $parser->parse($element) + $defaults;
}
}
if ($this->getEngine()->isTextMode()) {
return implode(' > ', ipull($sequence, 'name'));
}
static $icon_names;
if (!$icon_names) {
$icon_names = array_fuse(PHUIIconView::getIcons());
}
$out = array();
foreach ($sequence as $item) {
$item_name = $item['name'];
$item_color = PHUITagView::COLOR_GREY;
if ($item['type'] == 'instructions') {
$item_name = phutil_tag('em', array(), $item_name);
$item_color = PHUITagView::COLOR_INDIGO;
}
$tag = id(new PHUITagView())->setType(PHUITagView::TYPE_SHADE)->setShade($item_color)->setName($item_name);
if ($item['icon']) {
$icon_name = 'fa-' . $item['icon'];
if (isset($icon_names[$icon_name])) {
$tag->setIcon($icon_name);
}
}
if ($item['href'] !== null) {
if (PhabricatorEnv::isValidRemoteURIForLink($item['href'])) {
$tag->setHref($item['href']);
$tag->setExternal(true);
}
}
$out[] = $tag;
}
if ($this->getEngine()->isHTMLMailMode()) {
$arrow_attr = array('style' => 'color: #92969D;');
$nav_attr = array();
} else {
$arrow_attr = array('class' => 'remarkup-nav-sequence-arrow');
$nav_attr = array('class' => 'remarkup-nav-sequence');
}
$joiner = phutil_tag('span', $arrow_attr, " → ");
$out = phutil_implode_html($joiner, $out);
$out = phutil_tag('span', $nav_attr, $out);
return $this->getEngine()->storeText($out);
}
public function renderPropertyViewValue(array $handles)
{
$value = $this->getFieldValue();
if (!strlen($value)) {
return null;
}
if (!PhabricatorEnv::isValidRemoteURIForLink($value)) {
return $value;
}
return phutil_tag('a', array('href' => $value, 'target' => '_blank'), $value);
}
public function render()
{
$account = $this->externalAccount;
$provider = $this->provider;
require_celerity_resource('auth-css');
$content = array();
$dispname = $account->getDisplayName();
$username = $account->getUsername();
$realname = $account->getRealName();
$use_name = null;
if (strlen($dispname)) {
$use_name = $dispname;
} else {
if (strlen($username) && strlen($realname)) {
$use_name = $username . ' (' . $realname . ')';
} else {
if (strlen($username)) {
$use_name = $username;
} else {
if (strlen($realname)) {
$use_name = $realname;
} else {
$use_name = $account->getAccountID();
}
}
}
}
$content[] = phutil_tag('div', array('class' => 'auth-account-view-name'), $use_name);
if ($provider) {
$prov_name = pht('%s Account', $provider->getProviderName());
} else {
$prov_name = pht('"%s" Account', $account->getProviderType());
}
$content[] = phutil_tag('div', array('class' => 'auth-account-view-provider-name'), array($prov_name, " · ", $account->getAccountID()));
$account_uri = $account->getAccountURI();
if (strlen($account_uri)) {
// Make sure we don't link a "javascript:" URI if a user somehow
// managed to get one here.
if (PhabricatorEnv::isValidRemoteURIForLink($account_uri)) {
$account_uri = phutil_tag('a', array('href' => $account_uri, 'target' => '_blank'), $account_uri);
}
$content[] = phutil_tag('div', array('class' => 'auth-account-view-account-uri'), $account_uri);
}
$image_file = $account->getProfileImageFile();
$xform = PhabricatorFileTransform::getTransformByKey(PhabricatorFileThumbnailTransform::TRANSFORM_PROFILE);
$image_uri = $image_file->getURIForTransform($xform);
list($x, $y) = $xform->getTransformedDimensions($image_file);
$profile_image = phutil_tag('div', array('class' => 'auth-account-view-profile-image', 'style' => 'background-image: url(' . $image_uri . ');'));
return phutil_tag('div', array('class' => 'auth-account-view'), array($profile_image, $content));
}
public function appendImportProperties(PhabricatorUser $viewer, PhabricatorCalendarImport $import, PHUIPropertyListView $properties)
{
$uri_key = PhabricatorCalendarImportICSURITransaction::PARAMKEY_URI;
$uri = $import->getParameter($uri_key);
// Since the URI may contain a secret hash, don't show it to users who
// can not edit the import.
$can_edit = PhabricatorPolicyFilter::hasCapability($viewer, $import, PhabricatorPolicyCapability::CAN_EDIT);
if (!$can_edit) {
$uri_display = phutil_tag('em', array(), pht('Restricted'));
} else {
if (!PhabricatorEnv::isValidRemoteURIForLink($uri)) {
$uri_display = $uri;
} else {
$uri_display = phutil_tag('a', array('href' => $uri, 'target' => '_blank'), $uri);
}
}
$properties->addProperty(pht('Source URI'), $uri_display);
}
/**
* See http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2
* for details on what makes a given redirect URI "valid".
*/
public function validateRedirectURI(PhutilURI $uri)
{
if (!PhabricatorEnv::isValidRemoteURIForLink($uri)) {
return false;
}
if ($uri->getFragment()) {
return false;
}
if (!$uri->getDomain()) {
return false;
}
return true;
}
private function newGitHubEventItemPropertyBox($item)
{
$viewer = $this->getViewer();
$property_list = id(new PHUIPropertyListView())->setViewer($viewer);
$event = $this->newRawEvent($item);
$property_list->addProperty(pht('GitHub Event ID'), $event->getID());
$event_uri = $event->getURI();
if ($event_uri && PhabricatorEnv::isValidRemoteURIForLink($event_uri)) {
$event_uri = phutil_tag('a', array('href' => $event_uri), $event_uri);
}
if ($event_uri) {
$property_list->addProperty(pht('GitHub Event URI'), $event_uri);
}
return id(new PHUIObjectBoxView())->setHeaderText(pht('Event Properties'))->setBackground(PHUIObjectBoxView::BLUE_PROPERTY)->appendChild($property_list);
}
