r39600 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r39599‎ | r39600 | r39601 >
Date:18:15, 18 August 2008
Author:simetrical
Status:old
Tags:
Comment:
Re-committing 37663 for the new release, per old Wikitech-l discussion.

* (bug 13815) In the comment for page moves, use the colon-separator message instead of a hardcoded colon.
* So that this works properly, don't escape HTML entities in edit summaries. I don't see any good reason for them to be escaped there. Of course, this may result in old edit summaries displaying slightly differently if for some reason they included an entity, but in that case there's at least a 50% chance that they intended it to not be escaped in the first place.
Modified paths:
  • /trunk/phase3/RELEASE-NOTES (modified) (history)
  • /trunk/phase3/includes/GlobalFunctions.php (modified) (history)
  • /trunk/phase3/includes/Linker.php (modified) (history)
  • /trunk/phase3/includes/Sanitizer.php (modified) (history)
  • /trunk/phase3/includes/Title.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/GlobalFunctions.php
@@ -676,9 +676,7 @@
677677 if ( in_array('escape', $options) ) {
678678 $string = htmlspecialchars ( $string );
679679 } elseif ( in_array( 'escapenoentities', $options ) ) {
680 - $string = htmlspecialchars( $string );
681 - $string = str_replace( '&', '&', $string );
682 - $string = Sanitizer::normalizeCharReferences( $string );
 680+ $string = Sanitizer::escapeHtmlAllowEntities( $string );
683681 }
684682
685683 if( in_array('replaceafter', $options) ) {
Index: trunk/phase3/includes/Linker.php
@@ -1160,7 +1160,8 @@
11611161
11621162 # Sanitize text a bit:
11631163 $comment = str_replace( "\n", " ", $comment );
1164 - $comment = htmlspecialchars( $comment );
 1164+ # Allow HTML entities (for bug 13815)
 1165+ $comment = Sanitizer::escapeHtmlAllowEntities( $comment );
11651166
11661167 # Render autocomments and make links:
11671168 $comment = $this->formatAutoComments( $comment, $title, $local );
Index: trunk/phase3/includes/Sanitizer.php
@@ -822,6 +822,22 @@
823823 }
824824
825825 /**
 826+ * Given HTML input, escape with htmlspecialchars but un-escape entites.
 827+ * This allows (generally harmless) entities like   to survive.
 828+ *
 829+ * @param string $html String to escape
 830+ * @return string Escaped input
 831+ */
 832+ static function escapeHtmlAllowEntities( $html ) {
 833+ # It seems wise to escape ' as well as ", as a matter of course. Can't
 834+ # hurt.
 835+ $html = htmlspecialchars( $html, ENT_QUOTES );
 836+ $html = str_replace( '&', '&', $html );
 837+ $html = Sanitizer::normalizeCharReferences( $html );
 838+ return $html;
 839+ }
 840+
 841+ /**
826842 * Regex replace callback for armoring links against further processing.
827843 * @param array $matches
828844 * @return string
Index: trunk/phase3/includes/Title.php
@@ -2758,7 +2758,9 @@
27592759 $fname = 'MovePageForm::moveToNewTitle';
27602760 $comment = wfMsgForContent( '1movedto2', $this->getPrefixedText(), $nt->getPrefixedText() );
27612761 if ( $reason ) {
2762 - $comment .= ": $reason";
 2762+ $comment .= wfMsgExt( 'colon-separator',
 2763+ array( 'escapenoentities', 'content' ) );
 2764+ $comment .= $reason;
27632765 }
27642766
27652767 $newid = $nt->getArticleID();
Index: trunk/phase3/RELEASE-NOTES
@@ -94,6 +94,9 @@
9595 background colours based on classes "odd" and "even".
9696 * (bug 14187) In Special:Userlogin the buttons "Log in" and "E-mail new
9797 password" now have classes "mw-loginbutton" and "mw-mailmypasswordbutton".
 98+* HTML entities like   now work (are not escaped) in edit summaries.
 99+* (bug 13815) In the comment for page moves, use the colon-separator message
 100+ instead of a hardcoded colon.
98101
99102 === Bug fixes in 1.14 ===
100103

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r37663* (bug 13815) In the comment for page moves, use the colon-separator message ...simetrical21:43, 14 July 2008
r37714Revert r37663 for now:...brion21:13, 15 July 2008

Status & tagging log