r105717 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r105716‎ \| r105717 \| r105718 >
Date:	20:59, 9 December 2011
Author:	gregchiasson
Status:	ok (Comments)
Tags:
Comment:	Escape all the unescaped text on AFTv5 feedback page.
Modified paths:	/trunk/extensions/ArticleFeedbackv5/api/ApiViewFeedbackArticleFeedbackv5.php (modified) (history)

Diff [purge]

Index: trunk/extensions/ArticleFeedbackv5/api/ApiViewFeedbackArticleFeedbackv5.php
—	—	@@ -57,6 +57,7 @@
58	58
59	59	$where['af_page_id'] = $pageId;
60	60
	61	+ // TODO: Not this.
61	62	return $dbr->selectField(
62	63	array( 'aft_article_feedback' ),
63	64	array( 'COUNT(*) AS count' ),
—	—	@@ -170,7 +171,7 @@
171	172	protected function renderFeedback( $record ) {
172	173	$id = $record[0]->af_id;
173	174	$rv = "<div class='aft5-feedback'><p>"
174		~~- .wfMsg( 'articlefeedbackv5-form-header', $id, $record[0]->af_created )~~
	175	+ .wfMessage( 'articlefeedbackv5-form-header', $id, $record[0]->af_created )->escaped()
175	176	.'</p>';
176	177	switch( $record[0]->af_bucket_id ) {
177	178	case 1: $rv .= $this->renderBucket1( $record ); break;
—	—	@@ -182,63 +183,67 @@
183	184	default: $rv .= $this->renderNoBucket( $record ); break;
184	185	}
185	186	$rv .= "<p>"
186		~~- .wfMsg( 'articlefeedbackv5-form-optionid', $record[0]->af_bucket_id )~~
	187	+ .wfMessage( 'articlefeedbackv5-form-optionid', $record[0]->af_bucket_id )->escaped()
187	188	." \| "
188	189	."<a href='#' class='aft5-hide-link' id='aft5-hide-link-$id'>"
189		~~- .wfMsg( 'articlefeedbackv5-form-hide', $record[0]->af_hide_count )~~
	190	+ .wfMessage( 'articlefeedbackv5-form-hide', $record[0]->af_hide_count )->escaped()
190	191	.'</a> \| '
	192	+//204
191	193	."<a href='#' class='aft5-abuse-link' id='aft5-abuse-link-$id'>"
192		~~- .wfMsg( 'articlefeedbackv5-form-abuse', $record[0]->af_abuse_count )~~
	194	+ .wfMessage( 'articlefeedbackv5-form-abuse', $record[0]->af_abuse_count )->escaped()
193	195	."</a></p></div><hr>";
194	196	return $rv;
195	197	}
196	198
197	199	private function renderBucket1( $record ) {
198		~~- $name = $record[0]->user_name;~~
	200	+ $name = htmlspecialchars( $record[0]->user_name );
199	201	if( $record['found']->aa_response_boolean ) {
200		~~- $found = wfMsg(~~
	202	+ $found = wfMessage(
201	203	'articlefeedbackv5-form1-header-found',
202	204	$name
203		~~- );~~
	205	+ )->escaped();
204	206	} else {
205		~~- $found = wfMsg(~~
	207	+ $found = wfMessage(
206	208	'articlefeedbackv5-form1-header-not-found',
207	209	$name
208		~~- );~~
209		-
	210	+ )->escaped();
210	211	}
211	212	return "$found
212		~~- <blockquote>".$record['comment']->aa_response_text~~
	213	+ <blockquote>".htmlspecialchars( $record['comment']->aa_response_text )
213	214	.'</blockquote>';
214	215	}
215	216
216	217	private function renderBucket2( $record ) {
217		~~- $name = $record[0]->user_name;~~
218		~~- $type = $record['tag']->afo_name;~~
219		~~- return wfMsg( 'articlefeedbackv5-form2-header', $name, $type )~~
220		~~- .'<blockquote>'.$record['comment']->aa_response_text~~
	218	+ $name = htmlspecialchars( $record[0]->user_name );
	219	+ $type = htmlspecialchars( $record['tag']->afo_name );
	220	+ return wfMessage( 'articlefeedbackv5-form2-header', $name, $type )->escaped()
	221	+ .'<blockquote>'.htmlspecialchars( $record['comment']->aa_response_text )
221	222	.'</blockquote>';
222	223	}
223	224
224	225	private function renderBucket3( $record ) {
225		~~- $name = $record[0]->user_name;~~
226		~~- $rating = $record['rating']->aa_response_rating;~~
227		~~- return wfMsg( 'articlefeedbackv5-form3-header', $name, $rating )~~
228		~~- .'<blockquote>'.$record['comment']->aa_response_text~~
	226	+ $name = htmlspecialchars( $record[0]->user_name );
	227	+ $rating = htmlspecialchars( $record['rating']->aa_response_rating );
	228	+ return wfMessage( 'articlefeedbackv5-form3-header', $name, $rating )->escaped()
	229	+ .'<blockquote>'.htmlspecialchars( $record['comment']->aa_response_text )
229	230	.'</blockquote>';
230	231	}
231	232
232	233	private function renderBucket4( $record ) {
233		~~- return wfMsg( 'articlefeedbackv5-form4-header' );~~
	234	+ return wfMessage( 'articlefeedbackv5-form4-header' )->escaped();
234	235	}
235	236
236	237	private function renderBucket5( $record ) {
237		~~- $name = $record[0]->user_name;~~
238		~~- $rv = wfMsg( 'articlefeedbackv5-form5-header', $name );~~
	238	+ $name = htmlspecialchars( $record[0]->user_name );
	239	+ $rv = wfMessage( 'articlefeedbackv5-form5-header', $name )->escaped();
239	240	$rv .= '<ul>';
240	241	foreach( $record as $key => $answer ) {
241	242	if( $answer->afi_data_type == 'rating' && $key != '0' ) {
242		~~- $rv .= "<li>".$answer->afi_name.': '.$answer->aa_response_rating."</li>";~~
	243	+ $rv .= "<li>"
	244	+ .htmlspecialchars( $answer->afi_name )
	245	+ .': '
	246	+ .htmlspecialchars( $answer->aa_response_rating )
	247	+ ."</li>";
243	248	}
244	249	}
245	250	$rv .= "</ul>";
—	—	@@ -252,11 +257,11 @@
253	258	}
254	259
255	260	private function renderNoBucket( $record ) {
256		~~- return wfMsg( 'articlefeedbackv5-form-invalid' );~~
	261	+ return wfMessage( 'articlefeedbackv5-form-invalid' )->escaped();
257	262	}
258	263
259	264	private function renderBucket6( $record ) {
260		~~- return wfMsg( 'articlefeedbackv5-form-not-shown' );~~
	265	+ return wfMessage( 'articlefeedbackv5-form-not-shown' )->escaped();
261	266	}
262	267
263	268	/**

Comments

#Comment by Catrope (talk | contribs) 20:32, 12 December 2011

+//204

#Comment by Krinkle (talk | contribs) 20:51, 12 December 2011

+		// TODO: Not this.

Status & tagging log

20:32, 12 December 2011 Catrope (talk | contribs) changed the status of r105717 [removed: new added: ok]