r108320 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r108319‎ \| r108320 \| r108321 >
Date:	15:09, 7 January 2012
Author:	ashley
Status:	ok (Comments)
Tags:
Comment:	Comments: follow-up to r108295: XSS fix
Modified paths:	/trunk/extensions/Comments/SpecialCommentIgnoreList.php (modified) (history)

Diff [purge]

Index: trunk/extensions/Comments/SpecialCommentIgnoreList.php
—	—	@@ -42,6 +42,7 @@
43	43	$out .= $this->displayCommentBlockList();
44	44	} else {
45	45	if( $wgRequest->wasPosted() ) {
	46	+ $user_name = htmlspecialchars_decode( $user_name );
46	47	$user_id = User::idFromName( $user_name );
47	48	// Anons can be comment-blocked, but idFromName returns nothing
48	49	// for an anon, so...
—	—	@@ -112,9 +113,9 @@
113	114	wfMsg( 'comment-ignore-remove-message', $user_name ) .
114	115	'</div>
115	116	<div>
116		~~- <form action="" method="post" name="comment_block">~~
117		~~- <input type="hidden" name="user" value="' . $user_name . '" />~~
118		~~- <input type="button" class="site-button" value="' . wfMsg( 'comment-ignore-unblock' ) . '" onclick="document.comment_block.submit()" />~~
	117	+ <form action="" method="post" name="comment_block">' .
	118	+ Html::hidden( 'user', htmlspecialchars( $user_name, ENT_QUOTES ) ) .
	119	+ '<input type="button" class="site-button" value="' . wfMsg( 'comment-ignore-unblock' ) . '" onclick="document.comment_block.submit()" />
119	120	<input type="button" class="site-button" value="' . wfMsg( 'comment-ignore-cancel' ) . '" onclick="history.go(-1)" />
120	121	</form>
121	122	</div>';

Revision	Commit summary	Author	Date
r108327	Comments: follow-up to r108320: remove htmlspecialchars() call, as per CR	ashley	20:02, 7 January 2012

Revision	Commit summary	Author	Date
r108295	Comments: allow removing anonymous users from your ignore list. User::idFromN...	ashley	00:39, 7 January 2012

#Comment by Johnduhart (talk | contribs) 19:56, 7 January 2012

No need to escape with htmlspecialchars, Html::hidden does that automatically via Html::element

20:19, 7 January 2012 Johnduhart (talk | contribs) changed the status of r108320 [removed: new added: ok]