r25742 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r25741‎ \| r25742 \| r25743 >
Date:	21:01, 10 September 2007
Author:	brion
Status:	old
Tags:
Comment:	* (bug 11158) Fix escaping in API HTML-formatted JSON
Modified paths:	/trunk/extensions/BotQuery/query.php (modified) (history) /trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/api/ApiFormatBase.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/api/ApiFormatBase.php
—	—	@@ -158,8 +158,11 @@
159	159	* This method also replaces any '<' with <
160	160	*/
161	161	protected function formatHTML($text) {
162		~~- // encode all tags as safe blue strings~~
163		~~- $text = ereg_replace('\<([^>]+)\>', '<span style="color:blue;"><\1></span>', $text);~~
	162	+ // Escape everything first for full coverage
	163	+ $text = htmlspecialchars($text);
	164	+
	165	+ // encode all comments or tags as safe blue strings
	166	+ $text = preg_replace('/\<(!--.?--\|.?)\>/', '<span style="color:blue;"><\1></span>', $text);
164	167	// identify URLs
165	168	$protos = "http\|https\|ftp\|gopher";
166	169	$text = ereg_replace("($protos)://[^ \\'\"()<\n]+", '<a href="\\0">\\0</a>', $text);
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -44,6 +44,7 @@
45	45	editinterface to a new permission key editusercssjs.
46	46	* (bug 11266) Set fallback language for Fulfulde (ff) to French
47	47	* (bug 11179) Include image version deletion comment in public log
	48	+* (bug 11158) Fix escaping in API HTML-formatted JSON
48	49
49	50
50	51	=== API changes in 1.12 ===
Index: trunk/extensions/BotQuery/query.php
—	—	@@ -2607,8 +2607,11 @@
2608	2608	*/
2609	2609	function htmlPrinter( $text )
2610	2610	{
2611		~~- // encode all tags as safe blue strings~~
2612		~~- $text = ereg_replace( '\<([^>]+)\>', '<font color=blue><\1></font>', $text );~~
	2611	+ // Escape everything first for full coverage
	2612	+ $text = htmlspecialchars($text);
	2613	+
	2614	+ // encode all comments or tags as safe blue strings
	2615	+ $text = preg_replace('/\<(!--.?--\|.?)\>/', '<span style="color:blue;"><\1></span>', $text);
2613	2616	// identify URLs
2614	2617	$text = ereg_replace("[a-zA-Z]+://[^ '()<\n]+", '<a href="\\0">\\0</a>', $text);
2615	2618	// identify requests to query.php

Follow-up revisions

Revision	Commit summary	Author	Date
r25754	Merged revisions 25607-25751 via svnmerge from...	david	23:02, 10 September 2007
r25802	(API) Partial revert of r25742. Escaping all html special characters in the o...	amidaniel	22:47, 11 September 2007
r25804	Merged revisions 25752-25803 via svnmerge from...	david	02:25, 12 September 2007

Status & tagging log

15:20, 12 September 2011 Meno25 (talk | contribs) changed the status of r25742 [removed: ok added: old]