From f631c16e849840e6aa01394c9e0c9bc0b37bbe44 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Sat, 14 Jul 2018 22:02:01 +0000
Subject: [PATCH] Fix some warnings from phan-taint-check

Change-Id: I58af7bc21f4c6b77dbda689faa904b53705fe576
---
 includes/AjaxDispatcher.php         |  3 +++
 includes/EditPage.php               |  4 ++--
 includes/htmlform/HTMLFormField.php | 11 +++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index 5f825c8b5a..f6c9075136 100644
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -104,6 +104,9 @@ class AjaxDispatcher {
 	 * they should be carefully handled in the function processing the
 	 * request.
 	 *
+	 * phan-taint-check triggers as it is not smart enough to understand
+	 * the early return if func_name not in AjaxExportList.
+	 * @suppress SecurityCheck-XSS
 	 * @param User $user
 	 */
 	function performAction( User $user ) {
diff --git a/includes/EditPage.php b/includes/EditPage.php
index 7f209d45e5..0799c0cfcb 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -1774,7 +1774,7 @@ ERROR;
 			if ( $this->summary === '' ) {
 				$cleanSectionTitle = $wgParser->stripSectionName( $this->sectiontitle );
 				return $this->context->msg( 'newsectionsummary' )
-					->rawParams( $cleanSectionTitle )->inContentLanguage()->text();
+					->plaintextParams( $cleanSectionTitle )->inContentLanguage()->text();
 			}
 		} elseif ( $this->summary !== '' ) {
 			$sectionanchor = $this->guessSectionName( $this->summary );
@@ -1782,7 +1782,7 @@ ERROR;
 			# in the revision summary.
 			$cleanSummary = $wgParser->stripSectionName( $this->summary );
 			return $this->context->msg( 'newsectionsummary' )
-				->rawParams( $cleanSummary )->inContentLanguage()->text();
+				->plaintextParams( $cleanSummary )->inContentLanguage()->text();
 		}
 		return $this->summary;
 	}
diff --git a/includes/htmlform/HTMLFormField.php b/includes/htmlform/HTMLFormField.php
index 97e4b50551..9034a1ade9 100644
--- a/includes/htmlform/HTMLFormField.php
+++ b/includes/htmlform/HTMLFormField.php
@@ -855,8 +855,13 @@ abstract class HTMLFormField {
 	 * Determine form errors to display and their classes
 	 * @since 1.20
 	 *
+	 * phan-taint-check gets confused with returning both classes
+	 * and errors and thinks double escaping is happening, so specify
+	 * that return value has no taint.
+	 *
 	 * @param string $value The value of the input
 	 * @return array array( $errors, $errorClass )
+	 * @return-taint none
 	 */
 	public function getErrorsAndErrorClass( $value ) {
 		$errors = $this->validate( $value, $this->mParent->mFieldData );
@@ -1119,6 +1124,12 @@ abstract class HTMLFormField {
 	 * Formats one or more errors as accepted by field validation-callback.
 	 *
 	 * @param string|Message|array $errors Array of strings or Message instances
+	 * To work around limitations in phan-taint-check the calling
+	 * class has taintedness disabled. So instead we pretend that
+	 * this method outputs html, since the result is eventually
+	 * outputted anyways without escaping and this allows us to verify
+	 * stuff is safe even though the caller has taintedness cleared.
+	 * @param-taint $errors exec_html
 	 * @return string HTML
 	 * @since 1.18
 	 */
-- 
2.20.1