From: Brian Wolff Date: Sat, 1 Sep 2018 08:25:37 +0000 (+0000) Subject: Add taint annotation and warnings to Language::convert() et al X-Git-Tag: 1.34.0-rc.0~4227^2 X-Git-Url: http://git.cyclocoop.org/%22.%24info%5B?a=commitdiff_plain;h=8dbf6a7b31925a8b9e968d788b4f62890881eca6;hp=3f0ecb922794183b3321849c520bdf889da7f259;p=lhc%2Fweb%2Fwiklou.git Add taint annotation and warnings to Language::convert() et al If you feed this method unescaped data, it can cause later calls to be an XSS, which is something I think deserves a warning. Bug: T202571 Change-Id: I34cb3da9232a22defffb80466263c2f2233822ef --- diff --git a/languages/Language.php b/languages/Language.php index cbdd59d18b..85daa14821 100644 --- a/languages/Language.php +++ b/languages/Language.php @@ -4194,6 +4194,11 @@ class Language { /** * convert text to different variants of a language. * + * @warning Glossary state is maintained between calls. This means + * if you pass unescaped text to this method it can cause an XSS + * in later calls to this method, even if the later calls have properly + * escaped the input. Never feed this method user controlled text that + * is not properly escaped! * @param string $text Content that has been already escaped for use in HTML * @return string HTML */ diff --git a/languages/LanguageConverter.php b/languages/LanguageConverter.php index cb0f66f1b7..e51dca93ee 100644 --- a/languages/LanguageConverter.php +++ b/languages/LanguageConverter.php @@ -642,8 +642,12 @@ class LanguageConverter { * -{flags|code1:text1;code2:text2;...}- or * -{text}- in which case no conversion should take place for text * - * @param string $text Text to be converted - * @return string Converted text + * @warning Glossary state is maintained between calls. Never feed this + * method input that hasn't properly been escaped as it may result in + * an XSS in subsequent calls, even if those subsequent calls properly + * escape things. + * @param string $text Text to be converted, already html escaped. + * @return string Converted text (html) */ public function convert( $text ) { $variant = $this->getPreferredVariant(); @@ -653,9 +657,11 @@ class LanguageConverter { /** * Same as convert() except a extra parameter to custom variant. * - * @param string $text Text to be converted + * @param string $text Text to be converted, already html escaped + * @param-taint $text exec_html * @param string $variant The target variant code * @return string Converted text + * @return-taint escaped */ public function convertTo( $text, $variant ) { global $wgDisableLangConversion;