From 0364f852a32bad44b47465fb3750e42e9d005f9f Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Sun, 17 Feb 2019 11:32:50 +0000 Subject: [PATCH] Various fixes to make phan-taint-check happier Bug: T216348 Change-Id: If4071e689f476d2138d8964598c5a02b09448677 --- includes/Linker.php | 9 ++++++++- includes/OutputPage.php | 4 +++- includes/api/ApiFormatPhp.php | 3 +++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/includes/Linker.php b/includes/Linker.php index 049fb07284..2c7f44c2d5 100644 --- a/includes/Linker.php +++ b/includes/Linker.php @@ -112,7 +112,7 @@ class Linker { if ( $html !== null ) { $text = new HtmlArmor( $html ); } else { - $text = $html; // null + $text = null; } if ( in_array( 'known', $options, true ) ) { @@ -823,13 +823,20 @@ class Linker { /** * Make an external link + * * @since 1.16.3. $title added in 1.21 * @param string $url URL to link to + * @param-taint $url escapes_html * @param string $text Text of link + * @param-taint $text escapes_html * @param bool $escape Do we escape the link text? + * @param-taint $escape none * @param string $linktype Type of external link. Gets added to the classes + * @param-taint $linktype escapes_html * @param array $attribs Array of extra attributes to + * @param-taint $attribs escapes_html * @param Title|null $title Title object used for title specific link attributes + * @param-taint $title none * @return string */ public static function makeExternalLink( $url, $text, $escape = true, diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 461df946e7..06954430fd 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -953,6 +953,8 @@ class OutputPage extends ContextSource { * good tags like \ will be dropped entirely. * * @param string|Message $name + * @param-taint $name tainted + * Phan-taint-check gets very confused by $name being either a string or a Message */ public function setPageTitle( $name ) { if ( $name instanceof Message ) { @@ -966,7 +968,7 @@ class OutputPage extends ContextSource { # change "foo&bar" to "foo&bar" $this->setHTMLTitle( - $this->msg( 'pagetitle' )->rawParams( Sanitizer::stripAllTags( $nameWithTags ) ) + $this->msg( 'pagetitle' )->plaintextParams( Sanitizer::stripAllTags( $nameWithTags ) ) ->inContentLanguage() ); } diff --git a/includes/api/ApiFormatPhp.php b/includes/api/ApiFormatPhp.php index 45bdb6d436..616b341cb8 100644 --- a/includes/api/ApiFormatPhp.php +++ b/includes/api/ApiFormatPhp.php @@ -30,6 +30,9 @@ class ApiFormatPhp extends ApiFormatBase { return 'application/vnd.php.serialized'; } + /** + * @suppress SecurityCheck-XSS Output type is not text/html + */ public function execute() { $params = $this->extractRequestParams(); -- 2.20.1