Whether or not LogFormatter::getActionText() and friends are safe
for html depends on the runtime value of LogFormatter::$plaintext
which is beyond the abilities of phan-taint-check's static analysis
to determine. Thus this method results in a lot of false positives.
To prevent that, add an annotation that marks the method as always
safe for html. This is not ideal, but refactoring this method while
maintaining back-compat looks like it would be very challenging.
Bug: T197002
Change-Id: I9aded350ed4acc733b4fb697dd3400686a178fa9
* to avoid formatting for any particular user.
* @see getActionText()
* @return string Plain text
* to avoid formatting for any particular user.
* @see getActionText()
* @return string Plain text
+ * @return-taint tainted
*/
public function getPlainActionText() {
$this->plaintext = true;
*/
public function getPlainActionText() {
$this->plaintext = true;
/**
* Gets the log action, including username.
* @return string HTML
/**
* Gets the log action, including username.
* @return string HTML
+ * phan-taint-check gets very confused by $this->plaintext, so disable.
+ * @return-taint onlysafefor_html
*/
public function getActionText() {
if ( $this->canView( LogPage::DELETED_ACTION ) ) {
*/
public function getActionText() {
if ( $this->canView( LogPage::DELETED_ACTION ) ) {
* Helper method for displaying restricted element.
* @param string $message
* @return string HTML or wiki text
* Helper method for displaying restricted element.
* @param string $message
* @return string HTML or wiki text
+ * @return-taint onlysafefor_html
*/
protected function getRestrictedElement( $message ) {
if ( $this->plaintext ) {
*/
protected function getRestrictedElement( $message ) {
if ( $this->plaintext ) {
return $this->context->msg( $key );
}
return $this->context->msg( $key );
}
+ /**
+ * @param User $user
+ * @param int $toolFlags Combination of Linker::TOOL_LINKS_* flags
+ * @return string wikitext or html
+ * @return-taint onlysafefor_html
+ */
protected function makeUserLink( User $user, $toolFlags = 0 ) {
if ( $this->plaintext ) {
$element = $user->getName();
protected function makeUserLink( User $user, $toolFlags = 0 ) {
if ( $this->plaintext ) {
$element = $user->getName();
+ /**
+ * @return string
+ * @return-taint onlysafefor_html
+ */
protected function getActionMessage() {
$entry = $this->entry;
$action = LogPage::actionText(
protected function getActionMessage() {
$entry = $this->entry;
$action = LogPage::actionText(