diff options
| author | Daimona Eaytoy <daimona.wiki@gmail.com> | 2023-09-23 20:35:39 +0200 |
|---|---|---|
| committer | Daimona Eaytoy <daimona.wiki@gmail.com> | 2023-09-23 20:02:59 +0000 |
| commit | becfd3ceb3aa156f0acd640f44f52570ef07740d (patch) | |
| tree | a4298acf0ff76324996039f99a27e1d13ccc7cf2 /includes/language/Message.php | |
| parent | d31d5bfa92b6cc10e06f16af11b182e9df9d8e72 (diff) | |
| download | mediawikicore-becfd3ceb3aa156f0acd640f44f52570ef07740d.tar.gz mediawikicore-becfd3ceb3aa156f0acd640f44f52570ef07740d.zip | |
Add another batch of taint-check annotations
Copied from MediaWikiSecurityCheckPlugin.php.
Duplicate annotations from Xml::encode* to the corresponding
Html::encode* methods, given that these were moved recently but not
hardcoded in taint-check.
As the only difference, remove the HTML taintedness type from the return
value of Message::rawParams. If the argument is unsafe, it's reported
immediately thanks to exec_html. Else, it does not contribute to the
taintedness of the return value.
Bug: T321806
Change-Id: I5ed340e1d127fb3eab6d6f9b905693d05a393360
Diffstat (limited to 'includes/language/Message.php')
| -rw-r--r-- | includes/language/Message.php | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/includes/language/Message.php b/includes/language/Message.php index fe723b10d394..1e0039c52074 100644 --- a/includes/language/Message.php +++ b/includes/language/Message.php @@ -541,6 +541,7 @@ class Message implements MessageSpecifier, Serializable { * * @param mixed ...$params Raw parameters as strings, or a single argument that is * an array of raw parameters. + * @param-taint ...$params html,exec_html * * @return self $this */ @@ -1020,13 +1021,14 @@ class Message implements MessageSpecifier, Serializable { } /** - * Magic method implementation of the above (for PHP >= 5.2.0), so we can do, eg: + * Magic method implementation of the above, so we can do, eg: * $foo = new Message( $key ); * $string = "<abbr>$foo</abbr>"; * * @since 1.18 * * @return string + * @return-taint escaped */ public function __toString() { return $this->format( self::FORMAT_PARSE ); @@ -1038,6 +1040,7 @@ class Message implements MessageSpecifier, Serializable { * @since 1.17 * * @return string Parsed HTML. + * @return-taint escaped */ public function parse() { return $this->format( self::FORMAT_PARSE ); @@ -1050,6 +1053,7 @@ class Message implements MessageSpecifier, Serializable { * @since 1.17 * * @return string Unescaped message text. + * @return-taint tainted */ public function text() { return $this->format( self::FORMAT_TEXT ); @@ -1061,6 +1065,7 @@ class Message implements MessageSpecifier, Serializable { * @since 1.17 * * @return string Unescaped untransformed message text. + * @return-taint tainted */ public function plain() { return $this->format( self::FORMAT_PLAIN ); @@ -1072,6 +1077,7 @@ class Message implements MessageSpecifier, Serializable { * @since 1.17 * * @return string HTML + * @return-taint escaped */ public function parseAsBlock() { return $this->format( self::FORMAT_BLOCK_PARSE ); @@ -1084,6 +1090,7 @@ class Message implements MessageSpecifier, Serializable { * @since 1.17 * * @return string HTML escaped message text. + * @return-taint escaped */ public function escaped() { return $this->format( self::FORMAT_ESCAPED ); |