diff options
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/Storage/PageUpdater.php | 2 | ||||
| -rw-r--r-- | includes/actions/MarkpatrolledAction.php | 1 | ||||
| -rw-r--r-- | includes/changes/ChangesList.php | 1 | ||||
| -rw-r--r-- | includes/changes/RCCacheEntryFactory.php | 1 | ||||
| -rw-r--r-- | includes/changes/RecentChange.php | 1 | ||||
| -rw-r--r-- | includes/export/XmlDumpWriter.php | 2 | ||||
| -rw-r--r-- | includes/gallery/TraditionalImageGallery.php | 1 | ||||
| -rw-r--r-- | includes/language/Language.php | 9 | ||||
| -rw-r--r-- | includes/logging/LogPage.php | 3 | ||||
| -rw-r--r-- | includes/rcfeed/IRCColourfulRCFeedFormatter.php | 1 | ||||
| -rw-r--r-- | includes/revisiondelete/RevDelLogItem.php | 8 | ||||
| -rw-r--r-- | includes/search/SearchHighlighter.php | 1 |
12 files changed, 13 insertions, 18 deletions
diff --git a/includes/Storage/PageUpdater.php b/includes/Storage/PageUpdater.php index 91d8c886f336..071f102a5707 100644 --- a/includes/Storage/PageUpdater.php +++ b/includes/Storage/PageUpdater.php @@ -1349,7 +1349,6 @@ class PageUpdater { // Update recentchanges if ( !( $this->flags & EDIT_SUPPRESS_RC ) ) { // Add RC row to the DB - // @phan-suppress-next-line SecurityCheck-DoubleEscaped RecentChange::notifyEdit( $now, $this->getPage(), @@ -1475,7 +1474,6 @@ class PageUpdater { // Update recentchanges if ( !( $this->flags & EDIT_SUPPRESS_RC ) ) { // Add RC row to the DB - // @phan-suppress-next-line SecurityCheck-DoubleEscaped RecentChange::notifyNew( $now, $this->getPage(), diff --git a/includes/actions/MarkpatrolledAction.php b/includes/actions/MarkpatrolledAction.php index 745a6786030b..e89c27b8a40a 100644 --- a/includes/actions/MarkpatrolledAction.php +++ b/includes/actions/MarkpatrolledAction.php @@ -87,7 +87,6 @@ class MarkpatrolledAction extends FormAction { 'diff' => $revId, 'oldid' => $rc->getAttribute( 'rc_last_oldid' ) ]; - // @phan-suppress-next-line SecurityCheck-DoubleEscaped Triggered by RecentChange::getAttribute $revlink = $this->linkRenderer->makeLink( $title, $revId, [], $query ); $pagelink = $this->linkRenderer->makeLink( $title, $title->getPrefixedText() ); diff --git a/includes/changes/ChangesList.php b/includes/changes/ChangesList.php index fd564d01a452..06a05410aab3 100644 --- a/includes/changes/ChangesList.php +++ b/includes/changes/ChangesList.php @@ -685,7 +685,6 @@ class ChangesList extends ContextSource { $s .= ' <span class="' . $deletedClass . '">' . $this->msg( 'rev-deleted-user' )->escaped() . '</span>'; } else { - // @phan-suppress-next-line SecurityCheck-DoubleEscaped $s .= $this->getLanguage()->getDirMark() . Linker::userLink( $rc->mAttribs['rc_user'], $rc->mAttribs['rc_user_text'] ); $s .= Linker::userToolLinks( diff --git a/includes/changes/RCCacheEntryFactory.php b/includes/changes/RCCacheEntryFactory.php index ce6785f20f9f..9d457972b374 100644 --- a/includes/changes/RCCacheEntryFactory.php +++ b/includes/changes/RCCacheEntryFactory.php @@ -285,7 +285,6 @@ class RCCacheEntryFactory { $userLink = ' <span class="history-deleted">' . $this->context->msg( 'rev-deleted-user' )->escaped() . '</span>'; } else { - // @phan-suppress-next-line SecurityCheck-DoubleEscaped Triggered by Linker? $userLink = Linker::userLink( $cacheEntry->mAttribs['rc_user'], $cacheEntry->mAttribs['rc_user_text'], diff --git a/includes/changes/RecentChange.php b/includes/changes/RecentChange.php index 4aadf2044b56..b1b74fe7420b 100644 --- a/includes/changes/RecentChange.php +++ b/includes/changes/RecentChange.php @@ -1172,7 +1172,6 @@ class RecentChange implements Taggable { */ public function getAttribute( $name ) { if ( $name === 'rc_comment' ) { - // @phan-suppress-next-line SecurityCheck-DoubleEscaped return CommentStore::getStore() ->getComment( 'rc_comment', $this->mAttribs, true )->text; } diff --git a/includes/export/XmlDumpWriter.php b/includes/export/XmlDumpWriter.php index 01a649401309..daf006d282e2 100644 --- a/includes/export/XmlDumpWriter.php +++ b/includes/export/XmlDumpWriter.php @@ -377,7 +377,6 @@ class XmlDumpWriter { } else { if ( $rev->getComment()->text != '' ) { $out .= " " - // @phan-suppress-next-line SecurityCheck-DoubleEscaped getComment is polluted by truncate . Xml::elementClean( 'comment', [], strval( $rev->getComment()->text ) ) . "\n"; } @@ -601,7 +600,6 @@ class XmlDumpWriter { } else { $comment = CommentStore::getStore()->getComment( 'log_comment', $row )->text; if ( $comment != '' ) { - // @phan-suppress-next-line SecurityCheck-DoubleEscaped CommentStore is polluted by truncate $out .= " " . Xml::elementClean( 'comment', null, strval( $comment ) ) . "\n"; } } diff --git a/includes/gallery/TraditionalImageGallery.php b/includes/gallery/TraditionalImageGallery.php index 2188351d7280..9b1ba5300502 100644 --- a/includes/gallery/TraditionalImageGallery.php +++ b/includes/gallery/TraditionalImageGallery.php @@ -264,7 +264,6 @@ class TraditionalImageGallery extends ImageGalleryBase { // Preloaded into LinkCache in toHTML return $linkRenderer->makeKnownLink( $nt, - // @phan-suppress-next-line SecurityCheck-DoubleEscaped Triggered by Language::truncateForVisual is_int( $this->getCaptionLength() ) ? $lang->truncateForVisual( $nt->getText(), $this->getCaptionLength() ) : $nt->getText(), diff --git a/includes/language/Language.php b/includes/language/Language.php index 9fa0005f4c8b..fbf6093f3d9e 100644 --- a/includes/language/Language.php +++ b/includes/language/Language.php @@ -3528,6 +3528,13 @@ class Language { * This provides multibyte version of truncateForDatabase() method of this class, * suitable for truncation based on number of characters, instead of number of bytes. * + * The input should be a raw UTF-8 string and *NOT* be HTML + * escaped. It is not safe to truncate HTML-escaped strings, + * because the entity can be truncated! Use ::truncateHtml() if you + * need a specific number of HTML-encoded bytes, or + * ::truncateForDatabase() if you need a specific number of PHP + * bytes. + * * If $length is negative, the string will be truncated from the beginning. * * @since 1.31 @@ -3575,7 +3582,7 @@ class Language { # Use the localized ellipsis character if ( $ellipsis == '...' ) { - $ellipsis = wfMessage( 'ellipsis' )->inLanguage( $this )->escaped(); + $ellipsis = wfMessage( 'ellipsis' )->inLanguage( $this )->text(); } if ( $length == 0 ) { return $ellipsis; // convention diff --git a/includes/logging/LogPage.php b/includes/logging/LogPage.php index ca3af28633f3..6b246dc33f80 100644 --- a/includes/logging/LogPage.php +++ b/includes/logging/LogPage.php @@ -125,7 +125,6 @@ class LogPage { if ( $this->updateRecentChanges ) { $titleObj = SpecialPage::getTitleFor( 'Log', $this->type ); - // @phan-suppress-next-line SecurityCheck-DoubleEscaped RecentChange::notifyLog( $now, $titleObj, $this->performer, $this->getRcComment(), '', $this->type, $this->action, $this->target, $this->comment, @@ -140,7 +139,6 @@ class LogPage { // Notify external application via UDP. // We send this to IRC but do not want to add it the RC table. $titleObj = SpecialPage::getTitleFor( 'Log', $this->type ); - // @phan-suppress-next-line SecurityCheck-DoubleEscaped $rc = RecentChange::newLogEntry( $now, $titleObj, $this->performer, $this->getRcComment(), '', $this->type, $this->action, $this->target, $this->comment, @@ -362,7 +360,6 @@ class LogPage { $this->performer = $performer; - // @phan-suppress-next-line SecurityCheck-DoubleEscaped $logEntry = new ManualLogEntry( $this->type, $action ); $logEntry->setTarget( $target ); $logEntry->setPerformer( $performer ); diff --git a/includes/rcfeed/IRCColourfulRCFeedFormatter.php b/includes/rcfeed/IRCColourfulRCFeedFormatter.php index 619867a45bdd..0e41c8329bbe 100644 --- a/includes/rcfeed/IRCColourfulRCFeedFormatter.php +++ b/includes/rcfeed/IRCColourfulRCFeedFormatter.php @@ -100,7 +100,6 @@ class IRCColourfulRCFeedFormatter implements RCFeedFormatter { $flag = $attribs['rc_log_action']; } else { $store = MediaWikiServices::getInstance()->getCommentStore(); - // @phan-suppress-next-line SecurityCheck-DoubleEscaped $comment = self::cleanupForIRC( $store->getComment( 'rc_comment', $attribs )->text ); $flag = ''; if ( !$attribs['rc_patrolled'] diff --git a/includes/revisiondelete/RevDelLogItem.php b/includes/revisiondelete/RevDelLogItem.php index 75a5e5fe2d2e..18d8339b0c20 100644 --- a/includes/revisiondelete/RevDelLogItem.php +++ b/includes/revisiondelete/RevDelLogItem.php @@ -19,6 +19,7 @@ * @ingroup RevisionDelete */ +use MediaWiki\MediaWikiServices; use MediaWiki\Revision\RevisionRecord; /** @@ -128,9 +129,10 @@ class RevDelLogItem extends RevDelItem { // User links and action text $action = $formatter->getActionText(); - $comment = $this->commentStore->getComment( 'log_comment', $this->row )->text; - $comment = $this->list->getLanguage()->getDirMark() - . Linker::commentBlock( $comment ); + $commentRaw = $this->commentStore->getComment( 'log_comment', $this->row )->text; + $commentFormatter = MediaWikiServices::getInstance()->getCommentFormatter(); + $dirMark = $this->list->getLanguage()->getDirMark(); + $comment = $dirMark . $commentFormatter->formatBlock( $commentRaw ); if ( LogEventsList::isDeleted( $this->row, LogPage::DELETED_COMMENT ) ) { $comment = '<span class="history-deleted">' . $comment . '</span>'; diff --git a/includes/search/SearchHighlighter.php b/includes/search/SearchHighlighter.php index b7d705722c4d..c481701f6204 100644 --- a/includes/search/SearchHighlighter.php +++ b/includes/search/SearchHighlighter.php @@ -556,7 +556,6 @@ class SearchHighlighter { $found = $m[2]; - // @phan-suppress-next-line SecurityCheck-DoubleEscaped Triggered by Language::truncateForVisual $line = htmlspecialchars( $pre . $found . $post ); $pat2 = '/(' . $terms . ")/i"; $line = preg_replace( $pat2, "<span class='searchmatch'>\\1</span>", $line ); |