diff options
| author | jenkins-bot <jenkins-bot@gerrit.wikimedia.org> | 2018-08-30 02:54:03 +0000 |
|---|---|---|
| committer | Gerrit Code Review <gerrit@wikimedia.org> | 2018-08-30 02:54:03 +0000 |
| commit | fede766fe9950e3a036c263bf17d19d31278221c (patch) | |
| tree | 03ef82d0ec471a8827e29ba5278600c2f790e36d | |
| parent | f7b7d9400d993abb545db503d30e20206689a1e1 (diff) | |
| parent | f631c16e849840e6aa01394c9e0c9bc0b37bbe44 (diff) | |
| download | mediawikicore-fede766fe9950e3a036c263bf17d19d31278221c.tar.gz mediawikicore-fede766fe9950e3a036c263bf17d19d31278221c.zip | |
Merge "Fix some warnings from phan-taint-check"
| -rw-r--r-- | includes/AjaxDispatcher.php | 3 | ||||
| -rw-r--r-- | includes/EditPage.php | 4 | ||||
| -rw-r--r-- | includes/htmlform/HTMLFormField.php | 11 |
3 files changed, 16 insertions, 2 deletions
diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index 5f825c8b5ac7..f6c907513681 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -104,6 +104,9 @@ class AjaxDispatcher { * they should be carefully handled in the function processing the * request. * + * phan-taint-check triggers as it is not smart enough to understand + * the early return if func_name not in AjaxExportList. + * @suppress SecurityCheck-XSS * @param User $user */ function performAction( User $user ) { diff --git a/includes/EditPage.php b/includes/EditPage.php index 670b93d0f169..6b4dcc21c819 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -1782,7 +1782,7 @@ ERROR; if ( $this->summary === '' ) { $cleanSectionTitle = $wgParser->stripSectionName( $this->sectiontitle ); return $this->context->msg( 'newsectionsummary' ) - ->rawParams( $cleanSectionTitle )->inContentLanguage()->text(); + ->plaintextParams( $cleanSectionTitle )->inContentLanguage()->text(); } } elseif ( $this->summary !== '' ) { $sectionanchor = $this->guessSectionName( $this->summary ); @@ -1790,7 +1790,7 @@ ERROR; # in the revision summary. $cleanSummary = $wgParser->stripSectionName( $this->summary ); return $this->context->msg( 'newsectionsummary' ) - ->rawParams( $cleanSummary )->inContentLanguage()->text(); + ->plaintextParams( $cleanSummary )->inContentLanguage()->text(); } return $this->summary; } diff --git a/includes/htmlform/HTMLFormField.php b/includes/htmlform/HTMLFormField.php index bd08da0e22e8..a88ab9934d68 100644 --- a/includes/htmlform/HTMLFormField.php +++ b/includes/htmlform/HTMLFormField.php @@ -878,8 +878,13 @@ abstract class HTMLFormField { * Determine form errors to display and their classes * @since 1.20 * + * phan-taint-check gets confused with returning both classes + * and errors and thinks double escaping is happening, so specify + * that return value has no taint. + * * @param string $value The value of the input * @return array array( $errors, $errorClass ) + * @return-taint none */ public function getErrorsAndErrorClass( $value ) { $errors = $this->validate( $value, $this->mParent->mFieldData ); @@ -1149,6 +1154,12 @@ abstract class HTMLFormField { * Formats one or more errors as accepted by field validation-callback. * * @param string|Message|array $errors Array of strings or Message instances + * To work around limitations in phan-taint-check the calling + * class has taintedness disabled. So instead we pretend that + * this method outputs html, since the result is eventually + * outputted anyways without escaping and this allows us to verify + * stuff is safe even though the caller has taintedness cleared. + * @param-taint $errors exec_html * @return string HTML * @since 1.18 */ |