From: Brian Wolff <bawolff+wn@gmail.com>
Date: Fri, 31 Aug 2018 15:55:44 +0000 (+0000)
Subject: Use annotations for taint in Parser & ParserOutput.
X-Git-Tag: 1.34.0-rc.0~4236^2
X-Git-Url: http://git.cyclocoop.org/%24%7Burls/mainpage/%22%20.%20generer_url_ecrire%28%22articles_tous%22%29%20.%20%22?a=commitdiff_plain;h=13e5700b23e0fae839dba7756746f782dd4ba91e;p=lhc%2Fweb%2Fwiklou.git

Use annotations for taint in Parser & ParserOutput.

This replaces the builtin taints that are removed in
Ic1e1983a51c. Additionally, parse will no longer warn about
double escaping - there's many situations where such warnings
are wrong (e.g. Using Html::rawElement()). However this also
means that Parser::parse( wfMessage( 'foo' )->parse() ); will
no longer give a double escaping warning, which is unfortunate.

Bug: T202380
Change-Id: Ia52d37411beb62b112c6ff102438063c3d750769
---

diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index bd3c32a5b0..51c04ea035 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -425,12 +425,14 @@ class Parser {
 	 * Do not call this function recursively.
 	 *
 	 * @param string $text Text we want to parse
+	 * @param-taint $text escapes_htmlnoent
 	 * @param Title $title
 	 * @param ParserOptions $options
 	 * @param bool $linestart
 	 * @param bool $clearState
 	 * @param int|null $revid Number to pass in {{REVISIONID}}
 	 * @return ParserOutput A ParserOutput
+	 * @return-taint escaped
 	 */
 	public function parse(
 		$text, Title $title, ParserOptions $options,
@@ -671,8 +673,10 @@ class Parser {
 	 * $text are not expanded
 	 *
 	 * @param string $text Text extension wants to have parsed
+	 * @param-taint $text escapes_htmlnoent
 	 * @param bool|PPFrame $frame The frame to use for expanding any template variables
 	 * @return string UNSAFE half-parsed HTML
+	 * @return-taint escaped
 	 */
 	public function recursiveTagParse( $text, $frame = false ) {
 		// Avoid PHP 7.1 warning from passing $this by reference
@@ -697,8 +701,10 @@ class Parser {
 	 * @since 1.25
 	 *
 	 * @param string $text Text extension wants to have parsed
+	 * @param-taint $text escapes_htmlnoent
 	 * @param bool|PPFrame $frame The frame to use for expanding any template variables
 	 * @return string Fully parsed HTML
+	 * @return-taint escaped
 	 */
 	public function recursiveTagParseFully( $text, $frame = false ) {
 		$text = $this->recursiveTagParse( $text, $frame );
diff --git a/includes/parser/ParserOutput.php b/includes/parser/ParserOutput.php
index 78160cac5a..48ba111e88 100644
--- a/includes/parser/ParserOutput.php
+++ b/includes/parser/ParserOutput.php
@@ -303,6 +303,7 @@ class ParserOutput extends CacheTime {
 	 *    the scheme-specific-part of the href is the (percent-encoded) value
 	 *    of the `data-mw-deduplicate` attribute.
 	 * @return string HTML
+	 * @return-taint escaped
 	 */
 	public function getText( $options = [] ) {
 		$options += [