From 724411c7caada4a87d18f91c59319c487736597f Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Sun, 19 Jul 2009 16:49:58 +0000 Subject: [PATCH] * (bug 19784) date option "ISO 8601" produced illegal id Now running auto-generated id/names for radio group items through Sanitizer::escapeId(). For good measure, also manually checking the input 'name' and 'id' field values for base fields against validation and throwing an exception if we ain't got em. --- RELEASE-NOTES | 1 + includes/HTMLForm.php | 21 ++++++++++++++++----- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index ed2a513f60..bf625edf0e 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -289,6 +289,7 @@ this. Was used when mwEmbed was going to be an extension. standard, nostalgia and cologneblue skin * (bug 19814) interwiki links from file links ([[File:Foo.jpg|link=de:Test]]) are no longer recorded in the pagelinks table +* (bug 19784) date option "ISO 8601" produced illegal id == API changes in 1.16 == diff --git a/includes/HTMLForm.php b/includes/HTMLForm.php index f634c5b9e4..9cf212ed82 100644 --- a/includes/HTMLForm.php +++ b/includes/HTMLForm.php @@ -407,8 +407,13 @@ abstract class HTMLFormField { } if ( isset( $params['name'] ) ) { - $this->mName = 'wp'.$params['name']; - $this->mID = 'mw-input-'.$params['name']; + $name = $params['name']; + $validName = Sanitizer::escapeId( $name ); + if( $name != $validName ) { + throw new MWException("Invalid name '$name' passed to " . __METHOD__ ); + } + $this->mName = 'wp'.$name; + $this->mID = 'mw-input-'.$name; } if ( isset( $params['default'] ) ) { @@ -416,7 +421,12 @@ abstract class HTMLFormField { } if ( isset( $params['id'] ) ) { - $this->mID = $params['id']; + $id = $params['id']; + $validId = Sanitizer::escapeId( $id ); + if( $id != $validId ) { + throw new MWException("Invalid id '$id' passed to " . __METHOD__ ); + } + $this->mID = $id; } if ( isset( $params['validation-callback'] ) ) { @@ -811,10 +821,11 @@ class HTMLRadioField extends HTMLFormField { $html .= Xml::tags( 'h1', null, $label ) . "\n"; $html .= $this->formatOptions( $info, $value ); } else { + $id = Sanitizer::escapeId( $this->mID . "-$info" ); $html .= Xml::radio( $this->mName, $info, $info == $value, - $attribs + array( 'id' => $this->mID . "-$info" ) ); + $attribs + array( 'id' => $id ) ); $html .= ' ' . - Xml::tags( 'label', array( 'for' => $this->mID . "-$info" ), $label ); + Xml::tags( 'label', array( 'for' => $id ), $label ); $html .= "
\n"; } -- 2.20.1