diff options
| author | C. Scott Ananian <cscott@cscott.net> | 2022-02-07 17:37:56 -0500 |
|---|---|---|
| committer | C. Scott Ananian <cscott@cscott.net> | 2022-02-10 17:09:18 -0500 |
| commit | 9e033de4f22ce46bfaf45556ecad2e221e7d298d (patch) | |
| tree | 3942111ea7196410727aac68a037a210e00d9594 /includes/changes | |
| parent | 45d6341cab8a23f85a8fad9079f9992b8e078d5f (diff) | |
| download | mediawikicore-9e033de4f22ce46bfaf45556ecad2e221e7d298d.tar.gz mediawikicore-9e033de4f22ce46bfaf45556ecad2e221e7d298d.zip | |
Don't double-escape the ellipses in Language::truncateForVisual()
It turns out this gets rid of a bunch of suppressed
"SecurityCheck-DoubleEscaped" that appear to have been accurate
warnings.
There seems to have been some confusion about how ::truncateForVisual()
is supposed to be used; in particular it is to be passed *unescaped*
output, because it is not (generally speaking) safe to truncate
HTML-escaped strings. The goal of ::truncateForVisual() is to have
a specific number of codepoints in the output for display purposes,
the encoding of those codepoints is not an issue (htmlspecialchars
can be applied to the *return value*.) If you need a specific number
of *bytes* you should be using ::truncateForDatabase(). If you want
a certain number of *HTML bytes* then the ::truncateHtml() method
is probably what you want.
Slightly refactor some code in RevDelLogItem to avoid a false positive.
Bug: T301205
Bug: T290624
Change-Id: I893362e049aedfa699043fcf27caf4815196f748
Diffstat (limited to 'includes/changes')
| -rw-r--r-- | includes/changes/ChangesList.php | 1 | ||||
| -rw-r--r-- | includes/changes/RCCacheEntryFactory.php | 1 | ||||
| -rw-r--r-- | includes/changes/RecentChange.php | 1 |
3 files changed, 0 insertions, 3 deletions
diff --git a/includes/changes/ChangesList.php b/includes/changes/ChangesList.php index fd564d01a452..06a05410aab3 100644 --- a/includes/changes/ChangesList.php +++ b/includes/changes/ChangesList.php @@ -685,7 +685,6 @@ class ChangesList extends ContextSource { $s .= ' <span class="' . $deletedClass . '">' . $this->msg( 'rev-deleted-user' )->escaped() . '</span>'; } else { - // @phan-suppress-next-line SecurityCheck-DoubleEscaped $s .= $this->getLanguage()->getDirMark() . Linker::userLink( $rc->mAttribs['rc_user'], $rc->mAttribs['rc_user_text'] ); $s .= Linker::userToolLinks( diff --git a/includes/changes/RCCacheEntryFactory.php b/includes/changes/RCCacheEntryFactory.php index ce6785f20f9f..9d457972b374 100644 --- a/includes/changes/RCCacheEntryFactory.php +++ b/includes/changes/RCCacheEntryFactory.php @@ -285,7 +285,6 @@ class RCCacheEntryFactory { $userLink = ' <span class="history-deleted">' . $this->context->msg( 'rev-deleted-user' )->escaped() . '</span>'; } else { - // @phan-suppress-next-line SecurityCheck-DoubleEscaped Triggered by Linker? $userLink = Linker::userLink( $cacheEntry->mAttribs['rc_user'], $cacheEntry->mAttribs['rc_user_text'], diff --git a/includes/changes/RecentChange.php b/includes/changes/RecentChange.php index 4aadf2044b56..b1b74fe7420b 100644 --- a/includes/changes/RecentChange.php +++ b/includes/changes/RecentChange.php @@ -1172,7 +1172,6 @@ class RecentChange implements Taggable { */ public function getAttribute( $name ) { if ( $name === 'rc_comment' ) { - // @phan-suppress-next-line SecurityCheck-DoubleEscaped return CommentStore::getStore() ->getComment( 'rc_comment', $this->mAttribs, true )->text; } |