r110263 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r110262‎ \| r110263 \| r110264 >
Date:	23:50, 29 January 2012
Author:	grafzahl
Status:	deferred
Tags:
Comment:	Fixes bugs reported by Talin Salway <yenthefirst@gmail.com>: * Use htmlspecialchars() instead of strip_tags() in order to preserve user input. * Likewise, use htmlspecialchars() on message parameters in which HTML entities might accidentally be transformed. * Protect parameter in score-invalidlang message with <nowiki> tags so that the error message is properly displayed in all cases.
Modified paths:	/trunk/extensions/Score/Score.body.php (modified) (history) /trunk/extensions/Score/Score.i18n.php (modified) (history)

Diff [purge]

Index: trunk/extensions/Score/Score.i18n.php
—	—	@@ -36,7 +36,7 @@
37	37	$1',
38	38	'score-desc' => 'Adds a tag for rendering musical scores with LilyPond',
39	39	'score-getcwderr' => 'Unable to obtain current working directory',
40		~~- 'score-invalidlang' => 'Invalid score language lang="$1". Currently recognised languages are lang="lilypond" (the default) and lang="ABC".',~~
	40	+ 'score-invalidlang' => 'Invalid score language lang="<nowiki>$1</nowiki>". Currently recognised languages are lang="lilypond" (the default) and lang="ABC".',
41	41	'score-invalidoggoverride' => 'The file you specified with override_ogg is invalid. Please specify the file name only, omit <nowiki>[[…]]</nowiki> and the "{{ns:file}}:" prefix.',
42	42	'score-noabcinput' => 'ABC source file $1 could not be created.',
43	43	'score-noimages' => 'No score images were generated. Please check your score code.',
Index: trunk/extensions/Score/Score.body.php
—	—	@@ -127,7 +127,7 @@
128	128	$message->rawParams(
129	129	Html::rawElement( 'pre',
130	130	array(),
131		~~- strip_tags( $output )~~
	131	+ htmlspecialchars( $output )
132	132	)
133	133	)
134	134	);
—	—	@@ -209,7 +209,7 @@
210	210	$options['lang'] = 'lilypond';
211	211	}
212	212	if ( !in_array( $options['lang'], self::$supportedLangs ) ) {
213		~~- throw new ScoreException( wfMessage( 'score-invalidlang', $options['lang'] ) );~~
	213	+ throw new ScoreException( wfMessage( 'score-invalidlang', htmlspecialchars( $options['lang'] ) ) );
214	214	}
215	215
216	216	/* image file path and URL prefixes */
—	—	@@ -376,14 +376,14 @@
377	377	);
378	378	$link .= $oad->toHtml( array( 'alt' => $code ) );
379	379	} catch ( Exception $e ) {
380		~~- throw new ScoreException( wfMessage( 'score-novorbislink', $e->getMessage() ), 0, $e );~~
	380	+ throw new ScoreException( wfMessage( 'score-novorbislink', htmlspecialchars( $e->getMessage() ) ), 0, $e );
381	381	}
382	382	}
383	383	if ( $options['override_ogg'] !== false ) {
384	384	try {
385	385	$link .= $parser->recursiveTagParse( "[[File:{$options['ogg_name']}]]" );
386	386	} catch ( Exception $e ) {
387		~~- throw new ScoreException( wfMessage( 'score-novorbislink', $e->getMessage() ), 0, $e );~~
	387	+ throw new ScoreException( wfMessage( 'score-novorbislink', htmlspecialchars( $e->getMessage() ) ), 0, $e );
388	388	}
389	389	}
390	390	} catch ( Exception $e ) {

Status & tagging log

14:21, 30 January 2012 Siebrand (talk | contribs) changed the status of r110263 [removed: new added: deferred]