r102060 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r102059‎ | r102060 | r102061 >
Date:22:27, 4 November 2011
Author:foxtrott
Status:deferred (Comments)
Tags:
Comment:
bugfix (#autoedit not able to update a field with a +)
Modified paths:
  • /trunk/extensions/SemanticForms/includes/SF_ParserFunctions.php (modified) (history)

Diff [purge]

Index: trunk/extensions/SemanticForms/includes/SF_ParserFunctions.php
@@ -607,8 +607,12 @@
608608 $summary = $parser->recursiveTagParse( $value );
609609 break;
610610 default :
 611+ // The decode-encode sequence allows users to pass wikitext
 612+ // to the target form without having it parsed right away.
 613+ // To do that they need to use htmlentities instead of
 614+ // braces and brackets
611615 $formcontent .=
612 - Xml::input( $key, false, urldecode( $value ) , array( 'type' => 'hidden') );
 616+ Xml::input( $key, false, htmlentities( html_entity_decode( $value ) ) , array( 'type' => 'hidden') );
613617 }
614618 }
615619

Follow-up revisions

RevisionCommit summaryAuthorDate
r102103followup r102060: remove double-escapingfoxtrott15:25, 5 November 2011

Comments

#Comment by Nikerabbit (talk | contribs)   14:40, 5 November 2011

I understand html_entitity_decode, but I don't understand why you have htmlentities() here. Xml::input already escapes the value for you, so now you get one form of double escaping. In addition using htmlentities without defining charset break all non-ascii letters.

Urldecode() is also used for summary, maybe others too - they should be changed too.

I would suggest using just Sanitizer::decodeCharReferences for the input on necessary places.

#Comment by F.trott (talk | contribs)   14:51, 5 November 2011

Will do that.

#Comment by F.trott (talk | contribs)   17:26, 8 November 2011

fixed in r102103.

Status & tagging log