r113297 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r113296‎ \| r113297 \| r113298 >
Date:	21:06, 7 March 2012
Author:	wikinaut
Status:	reverted (Comments)
Tags:	gerritmigration
Comment:	fix for bug34763 'RSS feed items (HTML) are not rendered as HTML but htmlescaped'; tolerated controlled regression bug30377 'feed item length limitation', because this now becomes very tricky when we allow some tags in order to close bug 34763.
Modified paths:	/trunk/extensions/RSS/RELEASE-NOTES (modified) (history) /trunk/extensions/RSS/RSS.php (modified) (history) /trunk/extensions/RSS/RSSParser.php (modified) (history)

Diff [purge]

Index: trunk/extensions/RSS/RELEASE-NOTES
—	—	@@ -11,6 +11,13 @@
12	12	(otherwise using the defaults - PHP will abort the entire program when your
13	13	memory usage gets too high)
14	14
	15	+=== Version 2.12 2012-03-07 ===
	16	+* bug fix 34763 "RSS feed items (HTML) are not rendered as HTML but htmlescaped"
	17	+* regression bug 30377 "Add a new parameter to limit the number of characters
	18	+ when rendering the channel item <description>". Feed item string length
	19	+ limitation is difficult when we allow HTML <a> or <img> tags, because a mere
	20	+ content-unaware limitation breaks (can break) tags which results in disastrous
	21	+ rendering results.
15	22
16	23	=== Version 2.11 2012-02-29 ===
17	24	* function name typo correction
Index: trunk/extensions/RSS/RSSParser.php
—	—	@@ -312,6 +312,14 @@
313	313	return $ret;
314	314	}
315	315
	316	+ function sandboxParse($wikiText) {
	317	+ global $wgTitle, $wgUser;
	318	+ $myParser = new Parser();
	319	+ $myParserOptions = ParserOptions::newFromUser($wgUser);
	320	+ $result = $myParser->parse($wikiText, $wgTitle, $myParserOptions);
	321	+ return $result->getText();
	322	+ }
	323	+
316	324	/**
317	325	* Render the entire feed so that each item is passed to the
318	326	* template which the MediaWiki then displays.
—	—	@@ -320,7 +328,7 @@
321	329	* @param $frame the frame param to pass to recursiveTagParse()
322	330	*/
323	331	function renderFeed( $parser, $frame ) {
324		-
	332	+
325	333	$renderedFeed = '';
326	334
327	335	if ( isset( $this->itemTemplate ) && isset( $parser ) && isset( $frame ) ) {
—	—	@@ -336,15 +344,15 @@
337	345	}
338	346
339	347	if ( $this->canDisplay( $item ) ) {
340		~~- $renderedFeed .= $this->renderItem( $item ) . "\n";~~
	348	+ $renderedFeed .= $this->renderItem( $item, $parser ) . "\n";
341	349	$headcnt++;
342	350	}
343	351	}
344	352
345		~~- $renderedFeed = $parser->recursiveTagParse( $renderedFeed, $frame );~~
	353	+ $renderedFeed = $this->sandboxParse( $renderedFeed );
346	354
347		~~- }~~
348		-
	355	+ }
	356	+
349	357	return $renderedFeed;
350	358	}
351	359
—	—	@@ -353,7 +361,7 @@
354	362	*
355	363	* @param $item Array: an array produced by RSSData where keys are the names of the RSS elements
356	364	*/
357		~~- protected function renderItem( $item ) {~~
	365	+ protected function renderItem( $item, $parser ) {
358	366
359	367	$renderedItem = $this->itemTemplate;
360	368
—	—	@@ -385,12 +393,14 @@
386	394	$renderedItem = str_replace( '{{{date}}}', $txt, $renderedItem );
387	395	break;
388	396	default:
389		~~- $str = $this->escapeTemplateParameter( $item[$info] );~~
	397	+ $str = $this->escapeTemplateParameter( $item[$info] );
	398	+ /***
390	399	if ( mb_strlen( $str ) > $this->ItemMaxLength ) {
391	400	$str = mb_substr( $str, 0, $this->ItemMaxLength ) . " ...";
392	401	}
	402	+ ***/
393	403	$txt = $this->highlightTerms( $str );
394		~~- $renderedItem = str_replace( '{{{' . $info . '}}}', $txt, $renderedItem );~~
	404	+ $renderedItem = str_replace( '{{{' . $info . '}}}', $parser->insertStripItem( $str ), $renderedItem );
395	405	}
396	406	}
397	407
—	—	@@ -434,41 +444,60 @@
435	445	* to the other kinds of markup, to avoid user input ending a template
436	446	* invocation.
437	447	*
438		~~- * We change differently flavoured <p> and <br> tags to effective <br> tags,~~
439		~~- * other tags such as <a> will be rendered html-escaped.~~
	448	+ * If you want to allow clickable link Urls (HTML <a> tag) in RSS feeds:
	449	+ * $wgRSSAllowLinkTag = true;
440	450	*
	451	+ * If you want to allow images (HTML <img> tag) in RSS feeds:
	452	+ * $wgAllowImageTag = true;
	453	+ *
441	454	*/
442	455	protected function escapeTemplateParameter( $text ) {
443		~~- $text = str_replace(~~
444		~~- array( '[', '\|', ']', '\'', 'ISBN ',~~
445		~~- 'RFC ', '://', "\n=", '{{', '}}',~~
446		~~- ),~~
447		~~- array( '[', '\|', ']', ''', 'ISBN ',~~
448		~~- 'RFC ', '://', "\n=", '{{', '}}',~~
449		~~- ),~~
450		~~- htmlspecialchars( str_replace( "\n", "", $text ) )~~
451		~~- );~~
	456	+ global $wgRSSAllowLinkTag, $wgAllowImageTag;
452	457
453		~~- // keep some basic layout tags~~
454		~~- $text = str_replace(~~
455		~~- array( '<p>', '</p>',~~
456		~~- '<br/>', '<br>', '</br>',~~
457		~~- '<b>', '</b>',~~
458		~~- '<i>', '</i>',~~
459		~~- '<u>', '</u>',~~
460		~~- '<s>', '</s>',~~
461		~~- ),~~
462		~~- array( "", "<br/>",~~
463		~~- "<br/>", "<br/>", "<br/>",~~
464		~~- "'''", "'''",~~
465		~~- "''", "''",~~
466		~~- "<u>", "</u>",~~
467		~~- "<s>", "</s>",~~
468		~~- ),~~
469		~~- $text~~
470		~~- );~~
	458	+ if ( isset( $wgRSSAllowLinkTag ) && $wgRSSAllowLinkTag ) {
	459	+ $extra = array( "a" );
	460	+ } else {
	461	+ $extra = array();
	462	+ }
471	463
472		~~- return $text;~~
	464	+ if ( ( isset( $wgRSSAllowLinkTag ) && $wgRSSAllowLinkTag )
	465	+ \|\| ( isset( $wgAllowImageTag ) && $wgAllowImageTag ) ) {
	466	+
	467	+ $ret = Sanitizer::removeHTMLtags( $text, null, array(), $extra, array( "iframe" ) );
	468	+
	469	+ } else { // use the old escape method for a while
	470	+
	471	+ $text = str_replace(
	472	+ array( '[', '\|', ']', '\'', 'ISBN ',
	473	+ 'RFC ', '://', "\n=", '{{', '}}',
	474	+ ),
	475	+ array( '[', '\|', ']', ''', 'ISBN ',
	476	+ 'RFC ', '://', "\n=", '{{', '}}',
	477	+ ),
	478	+ htmlspecialchars( str_replace( "\n", "", $text ) )
	479	+ );
	480	+
	481	+ // keep some basic layout tags
	482	+ $ret = str_replace(
	483	+ array( '<p>', '</p>',
	484	+ '<br/>', '<br>', '</br>',
	485	+ '<b>', '</b>',
	486	+ '<i>', '</i>',
	487	+ '<u>', '</u>',
	488	+ '<s>', '</s>',
	489	+ ),
	490	+ array( "", "<br/>",
	491	+ "<br/>", "<br/>", "<br/>",
	492	+ "'''", "'''",
	493	+ "''", "''",
	494	+ "<u>", "</u>",
	495	+ "<s>", "</s>",
	496	+ ),
	497	+ $text
	498	+ );
	499	+ }
	500	+
	501	+ return $ret;
473	502	}
474	503
475	504	/**
Index: trunk/extensions/RSS/RSS.php
—	—	@@ -4,7 +4,7 @@
5	5	*
6	6	* @file
7	7	* @ingroup Extensions
8		~~- * @version 2.11~~
	8	+ * @version 2.12
9	9	* @author mutante, Daniel Kinzler, Rdb, Mafs, Thomas Gries, Alxndr, Chris Reigrut, K001
10	10	* @author Kellan Elliott-McCrea <kellan@protest.net> -- author of MagpieRSS
11	11	* @author Jeroen De Dauw
—	—	@@ -14,7 +14,7 @@
15	15	* @link http://www.mediawiki.org/wiki/Extension:RSS Documentation
16	16	*/
17	17
18		~~-define( "EXTENSION_RSS_VERSION", "2.11 20120229" );~~
	18	+define( "EXTENSION_RSS_VERSION", "2.12 20120307" );
19	19
20	20	if ( !defined( 'MEDIAWIKI' ) ) {
21	21	die( "This is not a valid entry point.\n" );
—	—	@@ -93,5 +93,12 @@
94	94
95	95	// limit the number of characters in the item description
96	96	// or set to false for unlimited length.
97		~~-// $wgRSSItemMaxLength = false;~~
	97	+// THIS IS CURRENTLY NOT WORKING (bug 30377)
98	98	$wgRSSItemMaxLength = false;
	99	+
	100	+// You can choose to allow active links in feed items; default: false
	101	+$wgRSSAllowLinkTag = false;
	102	+
	103	+// If you want to see images in feed items, then you need to globally allow
	104	+// image tags in your wiki by using the MediaWiki parameter; default: false
	105	+// $wgAllowImageTag = true;

Follow-up revisions

Revision	Commit summary	Author	Date
r114390	Revert r111347, r111348, r111350, r111351, r111515, r111816, r112243, r112251......	catrope	18:40, 21 March 2012

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r111350	fix for bug30377 : add a new parameter to limit the number of characters when...	wikinaut	07:23, 13 February 2012
r112709	function name typo correction. Version number update	wikinaut	20:00, 29 February 2012

Comments

#Comment by Bawolff (talk | contribs) 02:53, 8 March 2012

$ret = Sanitizer::removeHTMLtags( $text, null, array(), $extra, array( "iframe" ) );

Why is iframe specifically mentioned? If there's a good reason, should have a comment.

+ $renderedFeed = $this->sandboxParse( $renderedFeed );

Why does this use its own instance of the parser?

In regards to initializing own instance of parser, initializing the parser using $wgUser 's options, and $wgTitle doesn't seem like the greatest idea. $parser->getTitle() would probably be better than $wgTitle, and for $wgUser, sometimes the parser needs to parse things using a user's options other than the current user (I think it does this to get a canonical version of the page for links tables, but don't quote me on that). You can get the current parser options using $parser->getOptions(). However as I said above, it doesn't seem like the sandboxParse is actually necessary in your code.

#Comment by Wikinaut (talk | contribs) 06:51, 8 March 2012

ad i) iframe: I saw in a E:RSS rendered feed http://rss.slashdot.org/Slashdot/slashdot one or several iframe tags which came through htmlescaped. I will make a deeper analysis of this specific case of iframes. I just wanted to be sure that iframes are expressly escaped, however we can further discuss this depending on my analysis.

ad ii) this was also discussed with Brion, and not working in the first test: not working without a (local sandbox) parsing in the local context as described here https://www.mediawiki.org/wiki/Manual:Special_pages#workaround_.231 from where it is verbatim copied. Your comment means that the text on https://www.mediawiki.org/wiki/Manual:Special_pages#workaround_.231 should be further corrected (Brion already corrected https://www.mediawiki.org/w/index.php?title=Manual%3ASpecial_pages&diff=505706&oldid=490966 "fix for calling private func; use the public one").

Summary: I will checked and make further analysis of the two points you had. However, the current code is working as intended, can perhaps be improved. I invite everyone - especially parser experts - to help me here, because it was a long and windy road already.

Does this sufficiently answer your questions ?

#Comment by Wikinaut (talk | contribs) 07:51, 8 March 2012

RE: + $renderedFeed = $this->sandboxParse( $renderedFeed );

I double-checked it. result: the sandbox-parsign is needed. If I use recursiveTagParse the wiki page is not correctly rendered and elements from the content window break out and appear outside, navigation bar broken etc. So what has been written on https://www.mediawiki.org/wiki/Manual:Special_pages#workaround_.231 applies to the present issue.

Status & tagging log

18:40, 21 March 2012 Catrope (talk | contribs) changed the status of r113297 [removed: new added: reverted]
01:03, 21 March 2012 Catrope (talk | contribs) changed the tags for r113297 [added: gerritmigration]