r50472 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r50471‎ | r50472 | r50473 >
Date:09:09, 11 May 2009
Author:jojo
Status:resolved (Comments)
Tags:
Comment:
Applied patch by Happy-melon. Added additional URL decoding.
Modified paths:
  • /trunk/extensions/Collection/Collection.body.php (modified) (history)
  • /trunk/extensions/Collection/Collection.hooks.php (modified) (history)

Diff [purge]

Index: trunk/extensions/Collection/Collection.hooks.php
@@ -38,14 +38,14 @@
3939 wfLoadExtensionMessages( 'CollectionCore' );
4040
4141 $action = $wgRequest->getVal('action');
42 - if ( method_exists( $skinTemplate, 'getTitle' ) ) {
 42+ if( method_exists( $skinTemplate, 'getTitle' ) ) {
4343 $title = $skinTemplate->getTitle();
4444 } else {
4545 $title = $skinTemplate->mTitle;
4646 }
4747
48 - if ( $skinTemplate->iscontent && ( $action == '' || $action == 'view' || $action == 'purge' ) ) {
49 - if ( self::_isCollectionPage( $title, $wgArticle ) ) {
 48+ if( $skinTemplate->iscontent && ( $action == '' || $action == 'view' || $action == 'purge' ) ) {
 49+ if( self::_isCollectionPage( $title, $wgArticle ) ) {
5050 $params = 'colltitle=' . wfUrlencode( $title->getPrefixedDBKey() );
5151 if ( isset( $wgCollectionFormats['rl'] ) ) {
5252 $nav_urls['printable_version_pdf'] = array(
@@ -68,7 +68,7 @@
6969 $params .= '&oldid=' . $wgArticle->getLatest();
7070 }
7171 }
72 - if ( isset( $wgCollectionFormats['rl'] ) ) {
 72+ if( isset( $wgCollectionFormats['rl'] ) ) {
7373 $nav_urls['printable_version_pdf'] = array(
7474 'href' => SkinTemplate::makeSpecialUrlSubpage(
7575 'Book',
@@ -88,14 +88,10 @@
8989 static function insertMonoBookToolboxLink( &$skinTemplate ) {
9090 global $wgCollectionFormats;
9191
92 - if ( !empty( $skinTemplate->data['nav_urls']['printable_version_pdf']['href'] ) ) {
 92+ if( !empty( $skinTemplate->data['nav_urls']['printable_version_pdf']['href'] ) ) {
9393 $href = htmlspecialchars( $skinTemplate->data['nav_urls']['printable_version_pdf']['href'] );
9494 $label = htmlspecialchars( $skinTemplate->data['nav_urls']['printable_version_pdf']['text'] );
95 - print <<<EOS
96 -
97 - <li id="t-download-as-pdf"><a href="$href" rel="nofollow">$label</a></li>
98 -EOS
99 - ;
 95+ print "<li id=\"t-download-as-pdf\"><a href=\"$href\" rel=\"nofollow\">$label</a></li>";
10096 }
10197 return true;
10298 }
@@ -116,7 +112,7 @@
117113 // but you'd have to inject something for non-open sessions or
118114 // it would be very confusing.
119115 $html = self::getPortlet();
120 - if ( $html ) {
 116+ if( $html ) {
121117 $bar[ 'coll-create_a_book' ] = $html;
122118 }
123119 }
@@ -132,16 +128,11 @@
133129
134130 $html = self::getPortlet();
135131
136 - if ( $html ) {
 132+ if( $html ) {
137133 $portletTitle = wfMsgHtml( 'coll-create_a_book' );
138 - print <<<EOS
139 -<div id="p-collection" class="portlet">
 134+ print "<div id=\"p-collection\" class=\"portlet\">
140135 <h5>$portletTitle</h5>
141 - <div class="pBody">
142 -EOS
143 - ;
144 - print $html;
145 - print '</div></div>';
 136+ <div class=\"pBody\">\n$html\n</div></div>";
146137 }
147138 }
148139
@@ -151,188 +142,148 @@
152143 static function getPortlet( $ajaxHint='' ) {
153144 global $wgArticle;
154145 global $wgTitle;
155 - global $wgOut;
 146+ global $wgOut, $wgUser;
156147 global $wgRequest;
157148 global $wgCollectionArticleNamespaces;
158 - global $wgJsMimeType;
159149 global $wgScriptPath;
160150 global $wgCollectionStyleVersion;
161151 global $wgCollectionNavPopups;
 152+
 153+ $sk = $wgUser->getSkin();
162154
163 - $navPopupJSURL = "$wgScriptPath/extensions/Collection/collection/Gadget-popups.js?$wgCollectionStyleVersion";
164 - $navPopupCSSURL = "$wgScriptPath/extensions/Collection/collection/Gadget-navpop.css?$wgCollectionStyleVersion";
165 -
166 -
167155 wfLoadExtensionMessages( 'CollectionCore' );
168156
169 - if (!$ajaxHint) {
 157+ if( !$ajaxHint ) {
170158 // we need to re-construct a title object from the request, because
171 - // the "subpage" (i.e. "par") part has been stripped of by SpecialPage.php
 159+ // the "subpage" (i.e. "par") part has been stripped off by SpecialPage.php
172160 // in $wgTitle.
173161 $origTitle = Title::newFromUrl($wgRequest->getVal('title'));
174 - if (!is_null($origTitle)
175 - && $origTitle->getLocalUrl() == SkinTemplate::makeSpecialUrl('Book')) {
 162+ if( !is_null( $origTitle )
 163+ && $origTitle->getLocalUrl() == SkinTemplate::makeSpecialUrl( 'Book' ) ) {
176164 return;
177165 }
178166 }
179167
180 - $addArticle = wfMsgHtml( 'coll-add_page' );
181 - $addArticleTooltip = wfMsgHtml( 'coll-add_page_tooltip' );
182 - $removeArticle = wfMsgHtml( 'coll-remove_page' );
183 - $removeArticleTooltip = wfMsgHtml( 'coll-remove_page_tooltip' );
184 - $addCategory = wfMsgHtml( 'coll-add_category' );
185 - $addCategoryTooltip = wfMsgHtml( 'coll-add_category_tooltip' );
186 - $loadCollection = wfMsgHtml( 'coll-load_collection' );
187 - $loadCollection = wfMsgHtml( 'coll-load_collection_tooltip' );
188168 $namespace = $wgTitle->getNamespace();
189169
190170 $numArticles = CollectionSession::countArticles();
191171 $showShowAndClearLinks = true;
192 - $addRemoveState = '';
193172
194 - $out = '<ul id="collectionPortletList">';
 173+ $out = Xml::element( 'ul', array( 'id' => 'collectionPortletList' ), NULL );
195174
196 - if ( self::_isCollectionPage( $wgTitle, $wgArticle) ) {
197 - $params = "colltitle=" . $wgTitle->getPrefixedUrl();
198 - $href = htmlspecialchars( SkinTemplate::makeSpecialUrlSubpage(
199 - 'Book',
200 - 'load_collection/',
201 - $params ) );
202 - $out .= "<li><a href=\"$href\" rel=\"nofollow\" title=\"$loadCollectionTooltip\">$loadCollection</a></li>";
 175+ if( self::_isCollectionPage( $wgTitle, $wgArticle) ) {
 176+ $out .= Xml::tags( 'li', array( 'id' => 'coll-load_collection' ),
 177+ $sk->link( SpecialPage::getTitleFor( 'Book', 'load_collection/' ),
 178+ wfMsgHtml( "coll-load_collection" ),
 179+ array( 'rel' => 'nofollow',
 180+ 'title' => wfMsg( "coll-load_collection_tooltip" ), ),
 181+ array( 'colltitle' => $wgTitle->getPrefixedUrl() ),
 182+ array( 'known', 'noclasses' )
 183+ )
 184+ );
203185 $showShowAndClearLinks = false;
204186
205 - } else if ( $ajaxHint == 'addcategory' || $namespace == NS_CATEGORY ) {
206 - $addRemoveState = 'addcategory';
207 - $params = "cattitle=" . $wgTitle->getPartialURL();
208 - $href = htmlspecialchars( SkinTemplate::makeSpecialUrlSubpage(
209 - 'Book',
210 - 'add_category/',
211 - $params ) );
212 - $out .= <<<EOS
213 -<li>
214 -<a href="$href" onclick="collectionCall('AddCategory', ['addcategory', wgTitle]); return false;" rel="nofollow" title="$addCategoryTooltip">$addCategory</a>
215 -</li>
216 -EOS
217 - ;
 187+ } else if( $ajaxHint == 'addcategory' || $namespace == NS_CATEGORY ) {
218188
219 - } else if ( $ajaxHint || in_array( $namespace, $wgCollectionArticleNamespaces ) ) {
220 - $params = "arttitle=" . $wgTitle->getPrefixedUrl();
 189+ $out .= Xml::tags( 'li', array( 'id' => 'coll-add_category' ),
 190+ $sk->link( SpecialPage::getTitleFor( 'Book', 'add_category/' ),
 191+ wfMsgHtml( "coll-add_category" ),
 192+ array( 'onclick' => "collectionCall('AddCategory', ['addcategory', wgTitle]); return false;",
 193+ 'rel' => 'nofollow',
 194+ 'title' => wfMsg( "coll-add_category_tooltip" ), ),
 195+ array( 'cattitle' => $wgTitle->getPartialURL() ),
 196+ array( 'known', 'noclasses', 'noescape' )
 197+ )
 198+ );
 199+
 200+ } else if( $ajaxHint || in_array( $namespace, $wgCollectionArticleNamespaces ) ) {
 201+ $params = array( 'arttitle' => $wgTitle->getPrefixedUrl() );
221202 if ( !is_null( $wgArticle ) ) {
222203 $oldid = $wgArticle->getOldID();
223 - $params .= "&oldid=" . $oldid;
224 - } else {
225 - $oldid = null;
 204+ $params['oldid'] = $oldid;
226205 }
227206
228 - $addLink = false;
229 - if ( $ajaxHint == 'removepage' ) {
230 - $addLink = false;
231 - } else if ( $ajaxHint == 'addpage') {
232 - $addLink = true;
233 - } else if ( CollectionSession::findArticle( $wgTitle->getPrefixedText(), $oldid ) == -1 ) {
234 - $addLink = true;
235 - }
236 - if ( $addLink ) {
237 - $addRemoveState = 'addpage';
238 - $href = htmlspecialchars( SkinTemplate::makeSpecialUrlSubpage(
239 - 'Book',
240 - 'add_article/',
241 - $params ) );
242 - $out .= <<<EOS
243 -<li>
244 - <a href="$href" onclick="collectionCall('AddArticle', ['removepage', wgNamespaceNumber, wgTitle, $oldid]); return false;" rel="nofollow" title="$addArticleTooltip">$addArticle</a>
245 -</li>
246 -EOS
247 - ;
 207+ if ( $ajaxHint == 'addpage' || CollectionSession::findArticle( $wgTitle->getPrefixedText(), $oldid ) == -1 ) {
 208+ $action = 'add';
 209+ $uaction = 'Add';
 210+ $other_action = 'remove';
248211 } else {
249 - $addRemoveState = 'removepage';
250 - $href = htmlspecialchars( SkinTemplate::makeSpecialUrlSubpage(
251 - 'Book',
252 - 'remove_article/',
253 - $params ) );
254 - $out .= <<<EOS
255 -<li>
256 - <a href="$href" onclick="collectionCall('RemoveArticle', ['addpage', wgNamespaceNumber, wgTitle, $oldid]); return false;" rel="nofollow" title="$removeArticleTooltip">$removeArticle</a>
257 -</li>
258 -EOS
259 - ;
 212+ $action = 'remove';
 213+ $uaction = 'Remove';
 214+ $other_action = 'add';
260215 }
 216+
 217+ $out .= Xml::tags( 'li', array( 'id' => "coll-{$action}_page" ),
 218+ $sk->link( SpecialPage::getTitleFor( 'Book', "{$action}_article/" ),
 219+ wfMsgHtml( "coll-{$action}_page" ),
 220+ array( 'onclick' => "collectionCall('{$uaction}Article', ['{$other_action}page', wgNamespaceNumber, wgTitle, $oldid]); return false;",
 221+ 'rel' => 'nofollow',
 222+ 'title' => wfMsg( "coll-{$action}_page_tooltip" ) ),
 223+ $params,
 224+ array( 'known', 'noclasses' )
 225+ )
 226+ );
261227 }
262228
263 - if ( $showShowAndClearLinks && $numArticles > 0 ) {
 229+ if( $showShowAndClearLinks && $numArticles > 0 ) {
264230 global $wgLang;
265231 $articles = wfMsgExt( 'coll-n_pages', array( 'parsemag' ), $wgLang->formatNum( $numArticles ) );
266 - $showCollection = wfMsgHtml( 'coll-show_collection' );
267 - $showCollectionTooltip = wfMsgHtml( 'coll-show_collection_tooltip' );
268 - $showURL = htmlspecialchars( SkinTemplate::makeSpecialUrl( 'Book') );
269 - $out .= <<<EOS
270 - <li><a href="$showURL" rel="nofollow" title="$showCollectionTooltip">$showCollection<br />
271 - ($articles)</a></li>
272 -EOS
273 - ;
 232+ $out .= Xml::tags( 'li', array( 'id' => 'coll-show_collection' ),
 233+ $sk->link( SpecialPage::getTitleFor( 'Book' ),
 234+ wfMsgHtml( 'coll-show_collection' ) . "<br />($articles)" ,
 235+ array( 'rel' => 'nofollow',
 236+ 'title' => wfMsg( 'coll-show_collection_tooltip' ) ),
 237+ array(),
 238+ array( 'known', 'noclasses' )
 239+ )
 240+ );
274241
275 - $clearCollection = wfMsgHtml( 'coll-clear_collection' );
276 - $clearCollectionTooltip = wfMsgHtml( 'coll-clear_collection_tooltip' );
277 - $params = 'return_to=' . $wgTitle->getFullURL();
278 - $href = htmlspecialchars( SkinTemplate::makeSpecialUrlSubpage(
279 - 'Book',
280 - 'clear_collection/',
281 - $params ) );
282242 $msg = htmlspecialchars( wfMsg( 'coll-clear_collection_confirm' ) );
283 - $out .= <<<EOS
284 -<li>
285 - <a href="$href" onclick="if (confirm('$msg')) return true; else return false;" rel="nofollow" title="$clearCollectionTooltip">$clearCollection</a>
286 -</li>
287 -EOS
288 - ;
 243+ $out .= Xml::tags( 'li', array( 'id' => 'coll-clear_collection' ),
 244+ $sk->link( SpecialPage::getTitleFor( 'Book', 'clear_collection/' ),
 245+ wfMsgHtml( "coll-clear_collection" ),
 246+ array( 'onclick' => "if (confirm('$msg')) return true; else return false;",
 247+ 'rel' => 'nofollow',
 248+ 'title' => wfMsg( "coll-clear_collection_tooltip" ) ),
 249+ array( 'return_to' => $wgTitle->getFullURL() ),
 250+ array( 'known', 'noclasses' )
 251+ )
 252+ );
289253 }
290254
291 - $helpCollections = wfMsgHtml( 'coll-help_collections' );
292 - $helpCollectionsTooltip = wfMsgHtml( 'coll-help_collections_tooltip' );
293 - $helpURL = htmlspecialchars( Title::newFromText( wfMsgForContent( 'coll-helppage' ) )->getFullURL() );
294 - $out .= <<<EOS
295 - <li><a href="$helpURL" title="$helpCollectionsTooltip">$helpCollections</a></li>
296 -EOS
297 - ;
 255+ $out .= Xml::tags( 'li', array( 'id' => 'coll-help_collections' ),
 256+ $sk->link( Title::newFromText( wfMsgForContent( 'coll-helppage' ) ),
 257+ wfMsgHtml( 'coll-help_collections' ),
 258+ array( 'title' => wfMsg( 'coll-help_collections_tooltip' ) ),
 259+ array(),
 260+ array( 'known', 'noclasses' )
 261+ )
 262+ );
 263+
 264+ $out .= '</ul>';
 265+ $wgOut->addScript( "/* <![CDATA[ */ wgCollectionAddRemoveState = '$addRemoveState'; /* ]]> */" );
 266+ $wgOut->addScriptFile( "/extensions/Collection/collection/portlet.js?$wgCollectionStyleVersion" );
298267
299 - $out .= <<<EOS
300 -</ul>
301 -<script type="text/javascript">
302 -/* <![CDATA[ */
303 - wgCollectionAddRemoveState = '$addRemoveState';
304 -/* ]]> */
305 -</script>
306 -<script type="text/javascript" src="$wgScriptPath/extensions/Collection/collection/portlet.js?$wgCollectionStyleVersion"></script>
307 -EOS
308 - ;
309 -
310268 // activate popup check:
311269 if ( $wgCollectionNavPopups ) {
312270 $addPageText = wfMsg( 'coll-add_page_popup' );
313271 $addCategoryText = wfMsg( 'coll-add_category_popup' );
314272 $removePageText = wfMsg( 'coll-remove_page_popup' );
315273 $popupHelpText = wfMsg( 'coll-popup_help_text' );
316 - $out .= <<<EOS
317 -<script type="text/javascript">
318 -/* <![CDATA[ */
319 - wgCollectionNavPopupJSURL = '$navPopupJSURL';
320 - wgCollectionNavPopupCSSURL = '$navPopupCSSURL';
321 - wgCollectionAddPageText = '$addPageText';
322 - wgCollectionAddCategoryText = '$addCategoryText';
323 - wgCollectionRemovePageText = '$removePageText';
324 - wgCollectionPopupHelpText = '$popupHelpText';
325 - wgCollectionArticleNamespaces = [
326 -EOS
327 - ;
328 - $out .= implode( ', ', $wgCollectionArticleNamespaces );
329 - $out .= <<<EOS
330 -];
331 -/* ]]> */
332 -</script>
333 -<script type="text/javascript" src="$wgScriptPath/extensions/Collection/collection/json2.js?$wgCollectionStyleVersion"></script>
334 -<script type="text/javascript" src="$wgScriptPath/extensions/Collection/collection/popupcheck.js?$wgCollectionStyleVersion"></script>
335 -EOS
336 - ;
 274+
 275+ $wgOut->addScript( "/* <![CDATA[ */
 276+ wgCollectionNavPopupJSURL = '$wgScriptPath/extensions/Collection/collection/Gadget-popups.js?$wgCollectionStyleVersion';
 277+ wgCollectionNavPopupCSSURL = '$wgScriptPath/extensions/Collection/collection/Gadget-navpop.css?$wgCollectionStyleVersion';
 278+ wgCollectionAddPageText = '$addPageText';
 279+ wgCollectionAddCategoryText = '$addCategoryText';
 280+ wgCollectionRemovePageText = '$removePageText';
 281+ wgCollectionPopupHelpText = '$popupHelpText';
 282+ wgCollectionArticleNamespaces = [ "
 283+ . implode( ', ', $wgCollectionArticleNamespaces )
 284+ . "]; /* ]]> */ " );
 285+ $wgOut->addScriptFile( "/extensions/Collection/collection/json2.js?$wgCollectionStyleVersion" );
 286+ $wgOut->addScriptFile( "/extensions/Collection/collection/popupcheck.js?$wgCollectionStyleVersion" );
 287+
337288 }
338289
339290 return $out;
@@ -342,7 +293,7 @@
343294 * OutputPageCheckLastModified hook
344295 */
345296 static function checkLastModified( $modifiedTimes ) {
346 - if ( CollectionSession::hasSession() && isset( $_SESSION['wsCollection']['timestamp'] ) ) {
 297+ if( CollectionSession::hasSession() && isset( $_SESSION['wsCollection']['timestamp'] ) ) {
347298 $modifiedTimes['collection'] = $_SESSION['wsCollection']['timestamp'];
348299 }
349300 return true;
@@ -351,7 +302,7 @@
352303 static function _isCollectionPage( $title, $article ) {
353304 global $wgCommunityCollectionNamespace;
354305
355 - if ( is_null( $title ) || is_null( $article ) ) {
 306+ if( is_null( $title ) || is_null( $article ) ) {
356307 return false;
357308 }
358309
@@ -367,10 +318,10 @@
368319 static protected function pageInCategory( $pageId, $categoryName ) {
369320 $dbr = wfGetDB( DB_SLAVE );
370321 $count = $dbr->selectField( 'categorylinks', 'COUNT(*)',
371 - array(
372 - 'cl_from' => $pageId,
373 - 'cl_to' => $categoryName ),
374 - __METHOD__ );
375 - return ($count > 0);
 322+ array( 'cl_from' => $pageId,
 323+ 'cl_to' => $categoryName ),
 324+ __METHOD__
 325+ );
 326+ return ( $count > 0 );
376327 }
377328 }
Index: trunk/extensions/Collection/Collection.body.php
@@ -55,7 +55,7 @@
5656 self::limitExceeded();
5757 return;
5858 }
59 - $title_url = $wgRequest->getVal( 'arttitle', '' );
 59+ $title_url = urldecode( $wgRequest->getVal( 'arttitle', '' ) );
6060 $oldid = $wgRequest->getInt( 'oldid', 0 );
6161 $title = Title::newFromURL( $title_url );
6262 $this->addArticle( $title, $oldid );
@@ -68,7 +68,7 @@
6969 $wgOut->redirect( $redirectURL );
7070 return;
7171 case 'remove_article/':
72 - $title_url = $wgRequest->getVal( 'arttitle', '' );
 72+ $title_url = urldecode( $wgRequest->getVal( 'arttitle', '' ) );
7373 $oldid = $wgRequest->getInt( 'oldid', 0 );
7474 $title = Title::newFromURL( $title_url );
7575 self::removeArticle( $title, $oldid );
@@ -96,7 +96,7 @@
9797 $wgOut->redirect( SkinTemplate::makeSpecialUrl( 'Book' ) );
9898 return;
9999 case 'add_category/':
100 - $title = Title::makeTitleSafe( NS_CATEGORY, $wgRequest->getVal( 'cattitle', '' ) );
 100+ $title = Title::makeTitleSafe( NS_CATEGORY, urldecode( $wgRequest->getVal( 'cattitle', '' ) ) );
101101 if ( self::addCategory( $title ) ) {
102102 self::limitExceeded();
103103 return;
@@ -116,7 +116,7 @@
117117 $wgOut->redirect( SkinTemplate::makeSpecialUrl( 'Book' ) );
118118 return;
119119 case 'load_collection/':
120 - $title = Title::newFromText( $wgRequest->getVal( 'colltitle', '' ) );
 120+ $title = Title::newFromText( urldecode( $wgRequest->getVal( 'colltitle', '' ) ) );
121121 if ( $wgRequest->getVal( 'cancel' ) ) {
122122 $wgOut->redirect( $title->getFullURL() );
123123 return;
@@ -135,12 +135,12 @@
136136 $this->renderLoadOverwritePage( $title );
137137 return;
138138 case 'order_collection/':
139 - $title = Title::newFromText( $wgRequest->getVal( 'colltitle', '' ) );
 139+ $title = Title::newFromText( urldecode( $wgRequest->getVal( 'colltitle', '' ) ) );
140140 $collection = $this->loadCollection( $title );
141141 $partner = $wgRequest->getVal( 'partner', 'pediapress' );
142142 return $this->postZIP( $collection, $partner );
143143 case 'save_collection/':
144 - $collTitle = $wgRequest->getVal( 'colltitle' );
 144+ $collTitle = urldecode( $wgRequest->getVal( 'colltitle' ) );
145145 if ( $wgRequest->getVal( 'overwrite' ) && !empty( $collTitle ) ) {;
146146 $title = Title::newFromText( $collTitle );
147147 $this->saveCollection( $title, $overwrite=true );
@@ -152,14 +152,14 @@
153153 $saveCalled = false;
154154 if ( $collType == 'personal' ) {
155155 $userPageTitle = $wgUser->getUserPage()->getPrefixedText();
156 - $name = $wgRequest->getVal( 'pcollname', '' );
 156+ $name = urldecode( $wgRequest->getVal( 'pcollname', '' ) );
157157 if ( !empty( $name ) ) {
158158 $title = Title::newFromText( $userPageTitle . '/' . wfMsgForContent( 'coll-collections' ) . '/' . $name );
159159 $saveCalled = true;
160160 $saved = $this->saveCollection( $title, $overwrite );
161161 }
162162 } else if ( $collType == 'community' ) {
163 - $name = $wgRequest->getVal( 'ccollname', '' );
 163+ $name = urldecode( $wgRequest->getVal( 'ccollname', '' ) );
164164 if ( !empty( $name ) ) {
165165 $title = Title::makeTitle( $wgCommunityCollectionNamespace, wfMsgForContent( 'coll-collections' ) . '/' . $name );
166166 $saveCalled = true;
@@ -188,11 +188,11 @@
189189 case 'download/':
190190 return $this->download();
191191 case 'render_article/':
192 - $title = Title::newFromText( $wgRequest->getVal( 'arttitle', '' ) );
 192+ $title = Title::newFromText( urldecode( $wgRequest->getVal( 'arttitle', '' ) ) );
193193 $oldid = $wgRequest->getInt( 'oldid', 0 );
194194 return $this->renderArticle( $title, $oldid, $wgRequest->getVal( 'writer', 'rl' ) );
195195 case 'render_collection/':
196 - $title = Title::newFromText( $wgRequest->getVal( 'colltitle', '' ) );
 196+ $title = Title::newFromText( urldecode( $wgRequest->getVal( 'colltitle', '' ) ));
197197 $collection = $this->loadCollection( $title );
198198 if ( $collection ) {
199199 $this->renderCollection( $collection, $title, $wgRequest->getVal( 'writer', 'rl' ) );

Comments

#Comment by Brion VIBBER (talk | contribs)   14:49, 11 May 2009

Is this doing some kind of double-encoding of parameters? It looks totally wrong...

r50479 is some sort of follow-up, not sure exactly what for.

#Comment by Happy-melon (talk | contribs)   07:48, 12 May 2009

The return of $wgRequest->getVal() is going to be urlencoded, surely? I can't see any attempt in the call stack to *un*encode it before it gets back to this level, unless it's *really* deep. And it's silly to build the entire URL just to be able to use Title::newFromURL().

r50479 seems to be reverting to injecting the extra JavaScript by direct <script> elements; I had previously called $wgOut->addScriptFile(). Why didn't that work?

#Comment by Jbeigel (talk | contribs)   09:21, 12 May 2009

The code that inserts the script is part of the portlet code in the sidebar. This HTML code is sometimes retrieved and inserted via XMLHttpRequests, so the normal output handler of MediaWiki is not used in this method.

#Comment by Jbeigel (talk | contribs)   09:17, 12 May 2009

I'll have a look at this.

#Comment by Jbeigel (talk | contribs)   09:50, 12 May 2009

The double escaping was introduced in the diff form bug18735: An already escaped URL (from Title::get*URL()) was passed to Xml::tags(). In one of the two relevant places, the 'noescape' option was passed to Xml::tags(), but I guess that's wrong (e.g. the output of wfMsg() is another value passed to Xml::tags() which needs to be escaped). I've committed a change in r50511, where the URLs are decoded and then passed to Xml::tags() which does the usual escaping.

#Comment by Happy-melon (talk | contribs)   11:13, 12 May 2009

The 'noescape' option was left over from [https://bugzilla.wikimedia.org/show_bug.cgi?id=18719 bug18719], which I was convinced was unnecessary. Maybe not...

#Comment by Tim Starling (talk | contribs)   10:55, 4 June 2009

urldecode() is unnecessary because it's done inside PHP. Title::newFromUrl() is identical to Title::newFromText() except for a random ancient hack that breaks titles with question marks in them. It does not decode anything. Using it is always incorrect. These two errors mostly cancel each other out as of r50511 except for the question marks.

This extension clearly needs a review from top to bottom by someone experienced with MediaWiki. The impression I get on scanning the code is that there are lots of obvious errors like these, as well as scary code, in the sense that there is potential for XSS. I'm wondering if it should be disabled on Wikimedia for a week or so post-scap, until we have time to do that.

#Comment by Happy-melon (talk | contribs)   11:15, 4 June 2009

No one from enwiki is going to complain about that; we've already disabled it by hiding the sidebar with CSS. It needs a lot of cleanup from the frontend as well as the back.

#Comment by Jbeigel (talk | contribs)   11:59, 4 June 2009

I don't intend to sound harsh, but:

  • We're very well aware of the discussion on en.wp and we are working on ways to improving the usability and other aspects of the extension (I guess that's what you mean with "lot of cleanup from the frontend"). But IMHO, this discussion doesn't belong here.
  • If the PHP code needs "a lot of cleanup" – especially wrt security issues – I'd be very happy to hear about more concrete suggestions where to improve the code, as I wrote in my reply to Tim.
  • The problems we are (were) discussing for this changeset here were introduced by your patch (though of course I was the one who applied it and thus I am the one to blame b/c I apparently didn't review it carefully enough). Please don't get me wrong: I'm very thankful for the improvements contained in your patch! But these particular problems weren't present before this changeset and AFAIK they have been fixed in the current version of the extension.
  • The "Create a book" portlet might be currently hidden in en.wp, but the extension is still installed and can be accessed. For example, the "PDF version" link still exists and the Special:Book page is still accessible. So if there really are any security issues with the Collection code, hiding some HTML via CSS doesn't help very much.
#Comment by Happy-melon (talk | contribs)   15:01, 4 June 2009

Don't get me wrong, the fact that it's my patch is the reason I'm here. I suppose in the abstract, 'not using core MediaWiki functionality at all' *is* a way of 'not using the wrong MediaWiki functionality', but I believe (hope certainly) that this patch is at worst a step sideways. Certainly the plethora of hardcoded HTMl is *not* the best solution. I'm with you all the way on your comment below: if Title::newFromUrl() is deprecated, it should be marked as such, else people like you or I will be inclined to use it in good faith.

As you say, the how-to-improve-usability discussion doesn't belong here; all I meant by this comment was that, since we've done our best to 'remove' it already, no one is going to miss it if it's take off for a few weeks for an overhaul (by "it needs a lot of cleanup", I mean the UI in general, not the code specifically). Although I admit I don't really see what the benefit of that is: it's not like it's a server which can't be worked on and used at the same time. Either there are security vulnerabilities, in which case it should be disabled *now* and left that way until they're fixed, or there are only usability issues, in which case there's no harm in leaving it installed but largely disabled until said issues are resolved. As you say, the PDF version link is useful quite apart from the full collections system.

#Comment by Jbeigel (talk | contribs)   15:15, 4 June 2009

OK, full ACK here :)

#Comment by Jbeigel (talk | contribs)   11:35, 4 June 2009

If using newFromUrl() is "always incorrect" why does it still exist without any such comment in Title.php and why is it used in several places in MediaWiki code? Anyway, I've changed all three occurrences of newFromUrl() into newFromText() in r51464.

I'm a bit puzzled by your comment though: Aren't the problems introduced in this changeset here fixed with r50511 and r50542? If not, what are the two errors that "mostly cancel each other out" in the current version of the extension?

And regarding your last paragraph: Of course, I'd be more than thankful for all pointers to "scary code" and will happily fix it!

#Comment by Tim Starling (talk | contribs)   04:20, 5 June 2009

I added such a comment to Title::newFromURL() in r51326 during the course of the current batch of code review, when I realised how many people were using it.

#Comment by Tim Starling (talk | contribs)   04:20, 16 August 2009

I think this is all fixed now.

Status & tagging log