From: jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Date: Thu, 30 Aug 2018 02:54:03 +0000 (+0000)
Subject: Merge "Fix some warnings from phan-taint-check"
X-Git-Tag: 1.34.0-rc.0~4251
X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/membres/fiche.php?a=commitdiff_plain;h=fede766fe9950e3a036c263bf17d19d31278221c;hp=f7b7d9400d993abb545db503d30e20206689a1e1;p=lhc%2Fweb%2Fwiklou.git

Merge "Fix some warnings from phan-taint-check"
---

diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index 5f825c8b5a..f6c9075136 100644
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -104,6 +104,9 @@ class AjaxDispatcher {
 	 * they should be carefully handled in the function processing the
 	 * request.
 	 *
+	 * phan-taint-check triggers as it is not smart enough to understand
+	 * the early return if func_name not in AjaxExportList.
+	 * @suppress SecurityCheck-XSS
 	 * @param User $user
 	 */
 	function performAction( User $user ) {
diff --git a/includes/EditPage.php b/includes/EditPage.php
index 670b93d0f1..6b4dcc21c8 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -1782,7 +1782,7 @@ ERROR;
 			if ( $this->summary === '' ) {
 				$cleanSectionTitle = $wgParser->stripSectionName( $this->sectiontitle );
 				return $this->context->msg( 'newsectionsummary' )
-					->rawParams( $cleanSectionTitle )->inContentLanguage()->text();
+					->plaintextParams( $cleanSectionTitle )->inContentLanguage()->text();
 			}
 		} elseif ( $this->summary !== '' ) {
 			$sectionanchor = $this->guessSectionName( $this->summary );
@@ -1790,7 +1790,7 @@ ERROR;
 			# in the revision summary.
 			$cleanSummary = $wgParser->stripSectionName( $this->summary );
 			return $this->context->msg( 'newsectionsummary' )
-				->rawParams( $cleanSummary )->inContentLanguage()->text();
+				->plaintextParams( $cleanSummary )->inContentLanguage()->text();
 		}
 		return $this->summary;
 	}
diff --git a/includes/htmlform/HTMLFormField.php b/includes/htmlform/HTMLFormField.php
index bd08da0e22..a88ab9934d 100644
--- a/includes/htmlform/HTMLFormField.php
+++ b/includes/htmlform/HTMLFormField.php
@@ -878,8 +878,13 @@ abstract class HTMLFormField {
 	 * Determine form errors to display and their classes
 	 * @since 1.20
 	 *
+	 * phan-taint-check gets confused with returning both classes
+	 * and errors and thinks double escaping is happening, so specify
+	 * that return value has no taint.
+	 *
 	 * @param string $value The value of the input
 	 * @return array array( $errors, $errorClass )
+	 * @return-taint none
 	 */
 	public function getErrorsAndErrorClass( $value ) {
 		$errors = $this->validate( $value, $this->mParent->mFieldData );
@@ -1149,6 +1154,12 @@ abstract class HTMLFormField {
 	 * Formats one or more errors as accepted by field validation-callback.
 	 *
 	 * @param string|Message|array $errors Array of strings or Message instances
+	 * To work around limitations in phan-taint-check the calling
+	 * class has taintedness disabled. So instead we pretend that
+	 * this method outputs html, since the result is eventually
+	 * outputted anyways without escaping and this allows us to verify
+	 * stuff is safe even though the caller has taintedness cleared.
+	 * @param-taint $errors exec_html
 	 * @return string HTML
 	 * @since 1.18
 	 */