r100612 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r100611‎ \| r100612 \| r100613 >
Date:	16:19, 24 October 2011
Author:	platonides
Status:	resolved
Tags:
Comment:	Follow up r100520: Also escape message parameters
Modified paths:	/trunk/extensions/RecordAdmin/RecordAdmin_body.php (modified) (history)

Diff [purge]

Index: trunk/extensions/RecordAdmin/RecordAdmin_body.php
—	—	@@ -1,4 +1,4 @@
2		~~-<?php~~
	2	+w<?php
3	3	class RecordAdmin {
4	4
5	5	var $form = '';
—	—	@@ -325,7 +325,7 @@
326	326	$table = "<table$id class='recordadmin$sortable $type-record'>\n<tr>";
327	327	$th = array(
328	328	'select' => "<th class='col-select'>" . wfMsgHtml( 'recordadmin-select' ) . "$br</th>",
329		~~- 'title' => "<th class='col0 col-title'>" . wfMsgHtml( 'recordadmin-title', $type ) . "$br</th>",~~
	329	+ 'title' => "<th class='col0 col-title'>" . wfMsgHtml( 'recordadmin-title', htmlspecialchars( $type ) ) . "$br</th>",
330	330	'actions' => "<th class='col1 col-actions'>" . wfMsgHtml( 'recordadmin-actions' ) . "$br</th>",
331	331	'created' => "<th class='col2 col-created'>" . wfMsgHtml( 'recordadmin-created' ) . "$br</th>",
332	332	'modified' => "<th class='col3 col-modified'>" . wfMsgHtml( 'recordadmin-modified' ) . "$br</th>"
—	—	@@ -353,13 +353,13 @@
354	354	$tmp = array();
355	355	foreach( $records as $k1 => $v1 ) {
356	356	if( empty( $k1 ) ) {
357		~~- $k1 = wfMsgHtml( 'recordadmin-notset', $groupby[0] );~~
	357	+ $k1 = htmlspecialchars( wfMsg( 'recordadmin-notset', $groupby[0] ) );
358	358	}
359	359	$tmp[] = "$td<h2>$k1</h2></td>\n";
360	360	foreach( $v1 as $k2 => $v2 ) {
361	361	if( isset( $groupby[1] ) ) {
362	362	if( empty( $k2 ) ) {
363		~~- $k2 = wfMsgHtml( 'recordadmin-notset', $groupby[1] );~~
	363	+ $k2 = htmlspecialchars( wfMsg( 'recordadmin-notset', $groupby[1] ) );
364	364	}
365	365	$tmp[] = "$td<h3>$k2</h3></td>\n";
366	366	foreach( $v2 as $v3 ) $tmp[] = $v3;
—	—	@@ -551,7 +551,7 @@
552	552	else {
553	553
554	554	# Create a red link to the form if it doesn't exist
555		~~- $form = '<b>' . wfMsgHtml( 'recordadmin-noform', $type ) . '</b>'~~
	555	+ $form = '<b>' . wfMsgHtml( 'recordadmin-noform', htmlspecialchars( $type ) ) . '</b>'
556	556	. '<br /><a href="' . $title->getLocalURL( 'action=edit' )
557	557	. '">(' . wfMsgHtml( 'recordadmin-createlink' ) . ')</a><br />';
558	558	}
—	—	@@ -884,19 +884,19 @@
885	885	$ttitle = Title::newFromtext( $newtype, NS_TEMPLATE );
886	886	$ftitle = Title::newFromtext( $newtype, NS_FORM );
887	887	if( !is_object( $ttitle ) \|\| !is_object( $ftitle ) ) {
888		~~- $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-createerror', $rtype ) . "</div>\n" );~~
	888	+ $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-createerror', htmlspecialchars( $rtype ) ) . "</div>\n" );
889	889	}
890	890	$tttext = $ttitle->getPrefixedText();
891	891	$fttext = $ftitle->getPrefixedText();
892	892
893	893	# check if the template already exists
894	894	if( $ttitle->exists() ) {
895		~~- $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-alreadyexist', $tttext ) . "</div>\n" );~~
	895	+ $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-alreadyexist', htmlspecialchars( $tttext ) ) . "</div>\n" );
896	896	}
897	897
898	898	# check if the form already exists
899	899	elseif( $ftitle->exists() ) {
900		~~- $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-alreadyexist', $fttext ) . "</div>\n" );~~
	900	+ $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-alreadyexist', htmlspecialchars( $fttext ) ) . "</div>\n" );
901	901	}
902	902
903	903	# Attempt to create the template and form
—	—	@@ -918,11 +918,11 @@
919	919	$text = "<html>\n\t<form>\n\t\t<table>\n\t\t$link\n\t\t</table>\n\t</form>\n</html>";
920	920	$article = new Article( $ftitle );
921	921	$success = $article->doEdit( $text, $summary, EDIT_NEW );
922		~~- if( !$success ) $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-createerror', $fttext ) . "</div>\n" );~~
923		~~- } else $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-createerror', $tttext ) . "</div>\n" );~~
	922	+ if( !$success ) $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-createerror', htmlspecialchars( $fttext ) ) . "</div>\n" );
	923	+ } else $wgOut->addHTML( "<div class='errorbox'>" . wfMsgHtml( 'recordadmin-createerror', htmlspecialchars( $tttext ) ) . "</div>\n" );
924	924
925	925	# Report success
926		~~- if( $success ) $wgOut->addHTML( "<div class='successbox'>" . wfMsgHtml( 'recordadmin-createsuccess', $rtype ) . "</div>\n" );~~
	926	+ if( $success ) $wgOut->addHTML( "<div class='successbox'>" . wfMsgHtml( 'recordadmin-createsuccess', htmlspecialchars( $rtype ) ) . "</div>\n" );
927	927	}
928	928	}
929	929

Follow-up revisions

Revision	Commit summary	Author	Date
r100993	Remove extraneous w, inserted in r100612.	platonides	16:04, 27 October 2011

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r100520	Escape html	platonides	22:19, 22 October 2011

Status & tagging log

06:17, 28 October 2011 Nikerabbit (talk | contribs) changed the status of r100612 [removed: new added: resolved]