diff options
| -rw-r--r-- | includes/AjaxDispatcher.php | 3 | ||||
| -rw-r--r-- | includes/EditPage.php | 4 | ||||
| -rw-r--r-- | includes/htmlform/HTMLFormField.php | 11 |
3 files changed, 16 insertions, 2 deletions
diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index 5f825c8b5ac7..f6c907513681 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -104,6 +104,9 @@ class AjaxDispatcher { * they should be carefully handled in the function processing the * request. * + * phan-taint-check triggers as it is not smart enough to understand + * the early return if func_name not in AjaxExportList. + * @suppress SecurityCheck-XSS * @param User $user */ function performAction( User $user ) { diff --git a/includes/EditPage.php b/includes/EditPage.php index 670b93d0f169..6b4dcc21c819 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -1782,7 +1782,7 @@ ERROR; if ( $this->summary === '' ) { $cleanSectionTitle = $wgParser->stripSectionName( $this->sectiontitle ); return $this->context->msg( 'newsectionsummary' ) - ->rawParams( $cleanSectionTitle )->inContentLanguage()->text(); + ->plaintextParams( $cleanSectionTitle )->inContentLanguage()->text(); } } elseif ( $this->summary !== '' ) { $sectionanchor = $this->guessSectionName( $this->summary ); @@ -1790,7 +1790,7 @@ ERROR; # in the revision summary. $cleanSummary = $wgParser->stripSectionName( $this->summary ); return $this->context->msg( 'newsectionsummary' ) - ->rawParams( $cleanSummary )->inContentLanguage()->text(); + ->plaintextParams( $cleanSummary )->inContentLanguage()->text(); } return $this->summary; } diff --git a/includes/htmlform/HTMLFormField.php b/includes/htmlform/HTMLFormField.php index bd08da0e22e8..a88ab9934d68 100644 --- a/includes/htmlform/HTMLFormField.php +++ b/includes/htmlform/HTMLFormField.php @@ -878,8 +878,13 @@ abstract class HTMLFormField { * Determine form errors to display and their classes * @since 1.20 * + * phan-taint-check gets confused with returning both classes + * and errors and thinks double escaping is happening, so specify + * that return value has no taint. + * * @param string $value The value of the input * @return array array( $errors, $errorClass ) + * @return-taint none */ public function getErrorsAndErrorClass( $value ) { $errors = $this->validate( $value, $this->mParent->mFieldData ); @@ -1149,6 +1154,12 @@ abstract class HTMLFormField { * Formats one or more errors as accepted by field validation-callback. * * @param string|Message|array $errors Array of strings or Message instances + * To work around limitations in phan-taint-check the calling + * class has taintedness disabled. So instead we pretend that + * this method outputs html, since the result is eventually + * outputted anyways without escaping and this allows us to verify + * stuff is safe even though the caller has taintedness cleared. + * @param-taint $errors exec_html * @return string HTML * @since 1.18 */ |