r100520 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r100519‎ \| r100520 \| r100521 >
Date:	22:19, 22 October 2011
Author:	platonides
Status:	deferred (Comments)
Tags:
Comment:	Escape html
Modified paths:	/trunk/extensions/RecordAdmin/RecordAdmin_body.php (modified) (history)

Diff [purge]

Index: trunk/extensions/RecordAdmin/RecordAdmin_body.php
—	—	@@ -87,7 +87,7 @@
88	88	# Add a tab for each type with a form filled in with the parameters from its template call
89	89	$jsFormsList = array();
90	90	$tabset = "<div class=\"tabset\">";
91		~~- $tabset .= "<fieldset><legend>" . wfMsg( 'recordadmin-properties' ) . "</legend>";~~
	91	+ $tabset .= "<fieldset><legend>" . wfMsgHtml( 'recordadmin-properties' ) . "</legend>";
92	92	$tabset .= wfMsg( 'recordadmin-edit-info', $wgRequest->appendQuery( 'nora=1' ) ) . "</fieldset>";
93	93	foreach( $records as $type => $record ) {
94	94	$jsFormsList[] = "'$type'";
—	—	@@ -95,7 +95,7 @@
96	96	$this->examineForm();
97	97	$values = $this->valuesFromText( $record );
98	98	$this->populateForm( $values );
99		~~- $tabset .= "<fieldset><legend>$type " . strtolower( wfMsg( 'recordadmin-properties' ) ) . "</legend>\n";~~
	99	+ $tabset .= "<fieldset><legend>$type " . strtolower( wfMsgHtml( 'recordadmin-properties' ) ) . "</legend>\n";
100	100	$tabset .= "<form id=\"" . strtolower($type) . "-form\" class=\"{$this->formClass}\"{$this->formAtts}>$this->form</form>\n";
101	101	$tabset .= "</fieldset>";
102	102	}
—	—	@@ -303,7 +303,7 @@
304	304	*/
305	305	function renderRecords( $records, $cols = false, $sortable = true, $template = false, $name = 'wpSelect', $export = true, $groupby = false ) {
306	306	global $wgOut, $wgParser, $wgTitle, $wgRequest;
307		~~- if( count( $records ) < 1 ) return wfMsg( 'recordadmin-nomatch' );~~
	307	+ if( count( $records ) < 1 ) return wfMsgHtml( 'recordadmin-nomatch' );
308	308	if( $groupby ) $groupby = self::split( $groupby, ',' );
309	309
310	310	$type = $this->type;
—	—	@@ -324,11 +324,11 @@
325	325	# Table header (col0-3 class atts are for backward compatibility, only use named from now on)
326	326	$table = "<table$id class='recordadmin$sortable $type-record'>\n<tr>";
327	327	$th = array(
328		~~- 'select' => "<th class='col-select'>" . wfMsg( 'recordadmin-select' ) . "$br</th>",~~
329		~~- 'title' => "<th class='col0 col-title'>" . wfMsg( 'recordadmin-title', $type ) . "$br</th>",~~
330		~~- 'actions' => "<th class='col1 col-actions'>" . wfMsg( 'recordadmin-actions' ) . "$br</th>",~~
331		~~- 'created' => "<th class='col2 col-created'>" . wfMsg( 'recordadmin-created' ) . "$br</th>",~~
332		~~- 'modified' => "<th class='col3 col-modified'>" . wfMsg( 'recordadmin-modified' ) . "$br</th>"~~
	328	+ 'select' => "<th class='col-select'>" . wfMsgHtml( 'recordadmin-select' ) . "$br</th>",
	329	+ 'title' => "<th class='col0 col-title'>" . wfMsgHtml( 'recordadmin-title', $type ) . "$br</th>",
	330	+ 'actions' => "<th class='col1 col-actions'>" . wfMsgHtml( 'recordadmin-actions' ) . "$br</th>",
	331	+ 'created' => "<th class='col2 col-created'>" . wfMsgHtml( 'recordadmin-created' ) . "$br</th>",
	332	+ 'modified' => "<th class='col3 col-modified'>" . wfMsgHtml( 'recordadmin-modified' ) . "$br</th>"
333	333	);
334	334	foreach( array_keys( $this->types ) as $col ) {
335	335	$class = 'col' . preg_replace( "\|\W\|", "-", $col );
—	—	@@ -353,13 +353,13 @@
354	354	$tmp = array();
355	355	foreach( $records as $k1 => $v1 ) {
356	356	if( empty( $k1 ) ) {
357		~~- $k1 = wfMsg( 'recordadmin-notset', $groupby[0] );~~
	357	+ $k1 = wfMsgHtml( 'recordadmin-notset', $groupby[0] );
358	358	}
359	359	$tmp[] = "$td<h2>$k1</h2></td>\n";
360	360	foreach( $v1 as $k2 => $v2 ) {
361	361	if( isset( $groupby[1] ) ) {
362	362	if( empty( $k2 ) ) {
363		~~- $k2 = wfMsg( 'recordadmin-notset', $groupby[1] );~~
	363	+ $k2 = wfMsgHtml( 'recordadmin-notset', $groupby[1] );
364	364	}
365	365	$tmp[] = "$td<h3>$k2</h3></td>\n";
366	366	foreach( $v2 as $v3 ) $tmp[] = $v3;
—	—	@@ -429,7 +429,7 @@
430	430	'select' => "<td class='col-select'>$sel</td>\n",
431	431	'title' => "<td class='col0 col-title'><a href='$u'>$col</a></td>",
432	432	'actions' => "<td class='col1 col-actions'><a href='" . $t->getLocalURL( "action=edit" ) . "'>"
433		~~- . wfMsg( 'recordadmin-editlink' ) . "</a></td>",~~
	433	+ . wfMsgHtml( 'recordadmin-editlink' ) . "</a></td>",
434	434	'created' => "<td class='col2 col-created'>$tsc</td>\n",
435	435	'modified' => "<td class='col3 col-modified'>$tsm</td>\n"
436	436	);
—	—	@@ -497,10 +497,10 @@
498	498	$url = $wgTitle->getLocalURL( $qs );
499	499	$table .= "\n<a class=\"recordadmin-export-url\" href=\"$url\">URL</a>";
500	500	if( in_array( 'csv', $export ) ) {
501		~~- $table .= "\n<a class=\"recordadmin-export-csv\" href=\"$url&export=csv\">" . wfMsg( 'recordadmin-export-csv' ) . "</a>";~~
	501	+ $table .= "\n<a class=\"recordadmin-export-csv\" href=\"$url&export=csv\">" . wfMsgHtml( 'recordadmin-export-csv' ) . "</a>";
502	502	}
503	503	if( in_array( 'pdf', $export ) ) {
504		~~- $table .= "\n<a class=\"recordadmin-export-pdf\" href=\"$url&export=pdf\">" . wfMsg( 'recordadmin-export-pdf' ) . "</a>";~~
	504	+ $table .= "\n<a class=\"recordadmin-export-pdf\" href=\"$url&export=pdf\">" . wfMsgHtml( 'recordadmin-export-pdf' ) . "</a>";
505	505	}
506	506	}
507	507
—	—	@@ -551,9 +551,9 @@
552	552	else {
553	553
554	554	# Create a red link to the form if it doesn't exist
555		~~- $form = '<b>' . wfMsg( 'recordadmin-noform', $type ) . '</b>'~~
	555	+ $form = '<b>' . wfMsgHtml( 'recordadmin-noform', $type ) . '</b>'
556	556	. '<br /><a href="' . $title->getLocalURL( 'action=edit' )
557		~~- . '">(' . wfMsg( 'recordadmin-createlink' ) . ')</a><br />';~~
	557	+ . '">(' . wfMsgHtml( 'recordadmin-createlink' ) . ')</a><br />';
558	558	}
559	559	} else $form = '';
560	560	$this->form = $form;
—	—	@@ -884,19 +884,19 @@
885	885	$ttitle = Title::newFromtext( $newtype, NS_TEMPLATE );
886	886	$ftitle = Title::newFromtext( $newtype, NS_FORM );
887	887	if( !is_object( $ttitle ) \|\| !is_object( $ftitle ) ) {
888		~~- $wgOut->addHTML( "<div class='errorbox'>" . wfMsg( 'recordadmin-createerror', $rtype ) . "</div>\n" );~~
	888	+ $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-createerror', $rtype ) . "</div>\n" );
889	889	}
890	890	$tttext = $ttitle->getPrefixedText();
891	891	$fttext = $ftitle->getPrefixedText();
892	892
893	893	# check if the template already exists
894	894	if( $ttitle->exists() ) {
895		~~- $wgOut->addHTML( "<div class='errorbox'>" . wfMsg( 'recordadmin-alreadyexist', $tttext ) . "</div>\n" );~~
	895	+ $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-alreadyexist', $tttext ) . "</div>\n" );
896	896	}
897	897
898	898	# check if the form already exists
899	899	elseif( $ftitle->exists() ) {
900		~~- $wgOut->addHTML( "<div class='errorbox'>" . wfMsg( 'recordadmin-alreadyexist', $fttext ) . "</div>\n" );~~
	900	+ $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-alreadyexist', $fttext ) . "</div>\n" );
901	901	}
902	902
903	903	# Attempt to create the template and form
—	—	@@ -914,15 +914,15 @@
915	915	if( $success ) {
916	916	$cat = Title::newFromText( $wgRecordAdminCategory, NS_CATEGORY )->getPrefixedText();
917	917	$url = $ftitle->getLocalUrl( 'action=edit' );
918		~~- $link = "<a href=\"$url\">" . wfMsg( 'recordadmin-needscontent' ) . "</a>";~~
	918	+ $link = "<a href=\"$url\">" . wfMsgHtml( 'recordadmin-needscontent' ) . "</a>";
919	919	$text = "<html>\n\t<form>\n\t\t<table>\n\t\t$link\n\t\t</table>\n\t</form>\n</html>";
920	920	$article = new Article( $ftitle );
921	921	$success = $article->doEdit( $text, $summary, EDIT_NEW );
922		~~- if( !$success ) $wgOut->addHTML( "<div class='errorbox'>" . wfMsg( 'recordadmin-createerror', $fttext ) . "</div>\n" );~~
923		~~- } else $wgOut->addHTML( "<div class='errorbox'>" . wfMsg( 'recordadmin-createerror', $tttext ) . "</div>\n" );~~
	922	+ if( !$success ) $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-createerror', $fttext ) . "</div>\n" );
	923	+ } else $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-createerror', $tttext ) . "</div>\n" );
924	924
925	925	# Report success
926		~~- if( $success ) $wgOut->addHTML( "<div class='successbox'>" . wfMsg( 'recordadmin-createsuccess', $rtype ) . "</div>\n" );~~
	926	+ if( $success ) $wgOut->addHTML( "<div class='successbox'>" . wfMsgHtml( 'recordadmin-createsuccess', $rtype ) . "</div>\n" );
927	927	}
928	928	}
929	929

Follow-up revisions

Revision	Commit summary	Author	Date
r100612	Follow up r100520: Also escape message parameters	platonides	16:19, 24 October 2011

Comments

#Comment by Nikerabbit (talk | contribs) 08:03, 23 October 2011

wfMsgHtml doesn't escape parameter values.

Status & tagging log

23:57, 22 October 2011 Reedy (talk | contribs) changed the status of r100520 [removed: new added: deferred]