r9318 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r9317‎ \| r9318 \| r9319 >
Date:	14:51, 3 June 2005
Author:	vibber
Status:	old
Tags:
Comment:	Bump to 1.4.5
Modified paths:	/branches/REL1_4/phase3/RELEASE-NOTES (modified) (history) /branches/REL1_4/phase3/includes/DefaultSettings.php (modified) (history) /branches/REL1_4/phase3/includes/Parser.php (modified) (history) /branches/REL1_4/phase3/maintenance/parserTests.txt (modified) (history)

Diff [purge]

Index: branches/REL1_4/phase3/maintenance/parserTests.txt
—	—	@@ -1966,6 +1966,91 @@
1967	1967	!!end
1968	1968
1969	1969
	1970	+###
	1971	+### Safety
	1972	+###
	1973	+
	1974	+!! test
	1975	+Bug 2304: HTML attribute safety (template)
	1976	+!! input
	1977	+<div title="{{test}}"></div>
	1978	+!! result
	1979	+<div title="{{test}}"></div >
	1980	+
	1981	+!! end
	1982	+
	1983	+!! test
	1984	+Bug 2304: HTML attribute safety (link)
	1985	+!! input
	1986	+<div title="[[Main Page]]"></div>
	1987	+!! result
	1988	+<div title="[[Main Page]]"></div >
	1989	+
	1990	+!! end
	1991	+
	1992	+!! test
	1993	+Bug 2304: HTML attribute safety (italics)
	1994	+!! input
	1995	+<div title="''foobar''"></div>
	1996	+!! result
	1997	+<div title="''foobar''"></div >
	1998	+
	1999	+!! end
	2000	+
	2001	+!! test
	2002	+Bug 2304: HTML attribute safety (bold)
	2003	+!! input
	2004	+<div title="'''foobar'''"></div>
	2005	+!! result
	2006	+<div title="'''foobar'''"></div >
	2007	+
	2008	+!! end
	2009	+
	2010	+!! test
	2011	+Bug 2304: HTML attribute safety (ISBN)
	2012	+!! input
	2013	+<div title="ISBN 1234567890"></div>
	2014	+!! result
	2015	+<div title="ISBN 1234567890"></div >
	2016	+
	2017	+!! end
	2018	+
	2019	+!! test
	2020	+Bug 2304: HTML attribute safety (RFC)
	2021	+!! input
	2022	+<div title="RFC 1234"></div>
	2023	+!! result
	2024	+<div title="RFC 1234"></div >
	2025	+
	2026	+!! end
	2027	+
	2028	+!! test
	2029	+Bug 2304: HTML attribute safety (PMID)
	2030	+!! input
	2031	+<div title="PMID 1234567890"></div>
	2032	+!! result
	2033	+<div title="PMID 1234567890"></div >
	2034	+
	2035	+!! end
	2036	+
	2037	+!! test
	2038	+Bug 2304: HTML attribute safety (web link)
	2039	+!! input
	2040	+<div title="http://example.com/"></div>
	2041	+!! result
	2042	+<div title="http://example.com/"></div >
	2043	+
	2044	+!! end
	2045	+
	2046	+!! test
	2047	+Bug 2304: HTML attribute safety (named web link)
	2048	+!! input
	2049	+<div title="[http://example.com/ link]"></div>
	2050	+!! result
	2051	+<div title="[http://example.com/ link]"></div >
	2052	+
	2053	+!! end
	2054	+
1970	2055	TODO:
1971	2056	more images
1972	2057	more tables
Index: branches/REL1_4/phase3/includes/Parser.php
—	—	@@ -496,6 +496,20 @@
497	497	{
498	498	$t='';
499	499	}
	500	+
	501	+ # Templates and links may be expanded in later parsing,
	502	+ # creating invalid or dangerous output. Suppress this.
	503	+ $t = strtr( $t, array(
	504	+ '{' => '{',
	505	+ '[' => '[',
	506	+ "''" => '''',
	507	+ 'ISBN' => 'ISBN',
	508	+ 'RFC' => 'RFC',
	509	+ 'PMID' => 'PMID',
	510	+ ) );
	511	+ $t = preg_replace(
	512	+ '/(' . URL_PROTOCOLS . '):/',
	513	+ '\\1:', $t );
500	514
501	515	return trim ( $t ) ;
502	516	}
Index: branches/REL1_4/phase3/includes/DefaultSettings.php
—	—	@@ -19,7 +19,7 @@
20	20	* MediaWiki version number
21	21	* @global string $wgVersion
22	22	*/
23		~~-$wgVersion = '1.4.4';~~
	23	+$wgVersion = '1.4.5';
24	24
25	25	/**
26	26	* Name of the site.
Index: branches/REL1_4/phase3/RELEASE-NOTES
—	—	@@ -5,11 +5,28 @@
6	6
7	7	== MediaWiki 1.4.5 ==
8	8
9		~~-(to be released)~~
	9	+(released 2005-06-03)
10	10
11		~~-Various minor bug fixes, some backports.~~
	11	+MediaWiki 1.4.5 is a security update and bugfix release.
12	12
	13	+Incorrect handling of page template inclusions made it possible to
	14	+inject JavaScript code into HTML attributes, which could lead to
	15	+cross-site scripting attacks on a publicly editable wiki.
13	16
	17	+Vulnerable releases and fix:
	18	+* 1.5 prerelease: fixed in 1.5alpha2
	19	+* 1.4 stable series: fixed in 1.4.5
	20	+* 1.3 legacy series: fixed in 1.3.13
	21	+* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended
	22	+
	23	+This release also includes a number of bug fixes (see changelog below)
	24	+and merges some large-server load balancing patches from Wikipedia.
	25	+
	26	+An experimental rate limiter for page edits and moves can be enabled
	27	+with global, per-IP, per-subnet, or per-user bases. See configuration
	28	+options in includes/DefaultSettings.php
	29	+
	30	+
14	31	== MediaWiki 1.4.4 ==
15	32
16	33	(released 2005-05-04)
—	—	@@ -611,6 +628,7 @@
612	629	* (bug 2281) Fix regression with page moves taking the wrong talk pages
613	630	* Regression fix: watchlist day cutoff
614	631	* (bug 2173) Fatal error when removing an article with an empty title from the watchlist
	632	+* (bug 2034) Armor HTML attributes against template inclusion and links munging
615	633
616	634
617	635	=== Caveats ===

Status & tagging log

01:56, 13 October 2010 😂 (talk | contribs) changed the status of r9318 [removed: new added: old]