r55394 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r55393‎ \| r55394 \| r55395 >
Date:	21:30, 20 August 2009
Author:	simetrical
Status:	ok
Tags:
Comment:	Remove somewhat braindead comments On second thought, if you're outputting user-supplied JS without careful validation, it doesn't really matter if it's HTML-escaped or not. :D CSS has expr() and such too.
Modified paths:	/trunk/phase3/includes/Html.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/Html.php
—	—	@@ -194,10 +194,6 @@
195	195	* escaping as well, like if $contents contains literal '</script>' or (for
196	196	* XML) literal "]]>".
197	197	*
198		~~- * Note that $contents will not be escaped, since JS may legitimately~~
199		~~- * contain unescaped characters like "<". Make sure you don't output~~
200		~~- * untrusted user input here!~~
201		- *
202	198	* @param $contents string JavaScript
203	199	* @return string Raw HTML
204	200	*/
—	—	@@ -234,10 +230,6 @@
235	231	* (if any). TODO: do some useful escaping as well, like if $contents
236	232	* contains literal '</style>' (admittedly unlikely).
237	233	*
238		~~- * Note that $contents will not be escaped, since CSS may legitimately~~
239		~~- * contain unescaped characters like "<". Make sure you don't output~~
240		~~- * untrusted user input here!~~
241		- *
242	234	* @param $contents string CSS
243	235	* @param $media mixed A media type string, like 'screen', or null for all
244	236	* media

17:39, 9 September 2009 Brion VIBBER (talk | contribs) changed the status of r55394 [removed: new added: ok]