r53194 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r53193‎ | r53194 | r53195 >
Date:21:37, 13 July 2009
Author:btongminh
Status:ok (Comments)
Tags:
Comment:
(bug 19528) Added XSLT parameter to API queries in format=xml
Modified paths:
  • /trunk/phase3/RELEASE-NOTES (modified) (history)
  • /trunk/phase3/includes/api/ApiFormatXml.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/api/ApiFormatXml.php
@@ -35,6 +35,7 @@
3636
3737 private $mRootElemName = 'api';
3838 private $mDoubleQuote = false;
 39+ private $mXslt = null;
3940
4041 public function __construct($main, $format) {
4142 parent :: __construct($main, $format);
@@ -55,8 +56,11 @@
5657 public function execute() {
5758 $params = $this->extractRequestParams();
5859 $this->mDoubleQuote = $params['xmldoublequote'];
 60+ $this->mXslt = $params['xslt'];
5961
6062 $this->printText('<?xml version="1.0"?>');
 63+ if (!is_null($this->mXslt))
 64+ $this->addXslt();
6165 $this->recXmlPrint($this->mRootElemName, $this->getResultData(), $this->getIsHtml() ? -2 : null);
6266 }
6367
@@ -150,19 +154,38 @@
151155 break;
152156 }
153157 }
 158+ function addXslt() {
 159+ $nt = Title::newFromText( $this->mXslt );
 160+ if ( is_null( $nt ) || !$nt->exists() ) {
 161+ $this->setWarning( 'Invalid or non-existent stylesheet specified' );
 162+ return;
 163+ }
 164+ if ( $nt->getNamespace() != NS_MEDIAWIKI ) {
 165+ $this->setWarning( 'Stylesheet should be in the MediaWiki namespace.' );
 166+ return;
 167+ }
 168+ if ( substr( $nt->getText(), -4 ) !== '.xsl' ) {
 169+ $this->setWarning( 'Stylesheet should have .xsl extension.' );
 170+ return;
 171+ }
 172+ $this->printText( '<?xml-stylesheet href="' . $nt->escapeLocalURL( 'action=raw' ) . '" type="text/xsl" ?>' );
 173+ }
 174+
154175 private function doubleQuote( $text ) {
155176 return Sanitizer::encodeAttribute( $text );
156177 }
157178
158179 public function getAllowedParams() {
159180 return array (
160 - 'xmldoublequote' => false
 181+ 'xmldoublequote' => false,
 182+ 'xslt' => null,
161183 );
162184 }
163185
164186 public function getParamDescription() {
165187 return array (
166188 'xmldoublequote' => 'If specified, double quotes all attributes and content.',
 189+ 'xslt' => 'If specified, adds <xslt> as stylesheet',
167190 );
168191 }
169192
Index: trunk/phase3/RELEASE-NOTES
@@ -292,6 +292,7 @@
293293 * Added snippet field to list=search output
294294 * (bug 17809) Add number of users in user groups to meta=siteinfo
295295 * (bug 18533) Add readonly reason to readonly exception
 296+* (bug 19528) Added XSLT parameter to API queries in format=xml
296297
297298 === Languages updated in 1.16 ===
298299

Follow-up revisions

RevisionCommit summaryAuthorDate
r55749Fix for r53194: according to the XSLT 1.0 spec, the MIME type should be text/...tstarling08:05, 2 September 2009
r61419(bug 19528) Revert 55749: "according to the XSLT 1.0 spec, the MIME type shou...btongminh15:27, 23 January 2010

Comments

#Comment by Brion VIBBER (talk | contribs)   17:14, 22 August 2009

Erm, is this safe? Can't XSLT be used to transform the API's XML into, say, arbitrary HTML with JavaScript?

#Comment by Bryan (talk | contribs)   17:27, 22 August 2009

That is possible, that is why the stylesheet is limitted to the MediaWiki namespace by default. If you can edit that, you have far more easy ways to insert arbitrary JavaScript.

#Comment by Tim Starling (talk | contribs)   08:07, 2 September 2009

Fine by me.

Status & tagging log