r111125 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r111124‎ \| r111125 \| r111126 >
Date:	23:42, 9 February 2012
Author:	werdna
Status:	ok (Comments)
Tags:
Comment:	jquery.localize(): Allow "raw" parameter to disable escaping.
Modified paths:	/branches/ArticleCreationWorkflow/phase3/resources/jquery/jquery.localize.js (modified) (history)

Diff [purge]

Index: branches/ArticleCreationWorkflow/phase3/resources/jquery/jquery.localize.js
—	—	@@ -45,8 +45,15 @@
46	46	.find( 'msg,html\\:msg' )
47	47	.each( function() {
48	48	var $el = $(this);
	49	+ var msgText = msg( $el.attr( 'key' ) );
	50	+
	51	+ if ( $el.attr('raw') ) {
	52	+ $el.html(msgText);
	53	+ } else {
	54	+ $el.text(msgText);
	55	+ }
	56	+
49	57	$el
50		~~- .text( msg( $el.attr( 'key' ) ) )~~
51	58	.replaceWith( $el.html() );
52	59	} )
53	60	.end()

Comments

#Comment by Raindrift (talk | contribs) 23:58, 9 February 2012

Andrew and I discussed how this creates a possible XSS vector, wherein the message is replaced with a malicious one through the MediaWiki namespace. However, it seems we've collectively decided to trust the MW namespace, so that makes this okay.

Status & tagging log

21:27, 13 February 2012 Trevor Parscal (WMF) (talk | contribs) changed the tags for r111125 [removed: trevor]
21:24, 13 February 2012 Trevor Parscal (WMF) (talk | contribs) changed the status of r111125 [removed: deferred added: ok]
21:23, 13 February 2012 Werdna (talk | contribs) changed the tags for r111125 [added: trevor]
16:01, 10 February 2012 Reedy (talk | contribs) changed the status of r111125 [removed: new added: deferred]