From: Brian Wolff Date: Fri, 27 Oct 2017 14:26:33 +0000 (+0000) Subject: Prefer using plaintextParams instead of rawParams where possible X-Git-Tag: 1.31.0-rc.0~1643^2 X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/exercices//%22http:/commons.wikimedia.org/wiki/Commons:Firefogg/%22?a=commitdiff_plain;h=fc6d8a9cdb90e753ea05f2da9b32148456ecccc1;p=lhc%2Fweb%2Fwiklou.git Prefer using plaintextParams instead of rawParams where possible Using Message::rawParams() is something that should immediately jump out as scary. While it's perfectly safe to do something like wfMessage( 'foo' )->rawParams( $userControlledVar )->text() and escape later, mixing the safe type of rawParams with the dangerous type makes it more likely someone will miss something when checking for security. To reduce the likelyhood of confusion, prefer ->plaintextParams for such cases, as it can be seen to be safe at a glance. Change-Id: Ib067eb08ec934779ae743751306f1a0397bdf71c --- diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php index 85b4572bd5..09210e4379 100644 --- a/includes/specials/SpecialSearch.php +++ b/includes/specials/SpecialSearch.php @@ -529,7 +529,7 @@ class SpecialSearch extends SpecialPage { if ( strval( $term ) !== '' ) { $out->setPageTitle( $this->msg( 'searchresults' ) ); $out->setHTMLTitle( $this->msg( 'pagetitle' ) - ->rawParams( $this->msg( 'searchresults-title' )->rawParams( $term )->text() ) + ->plaintextParams( $this->msg( 'searchresults-title' )->plaintextParams( $term )->text() ) ->inContentLanguage()->text() ); } diff --git a/includes/specials/SpecialUndelete.php b/includes/specials/SpecialUndelete.php index 740207d6b9..9cb34073a2 100644 --- a/includes/specials/SpecialUndelete.php +++ b/includes/specials/SpecialUndelete.php @@ -974,7 +974,7 @@ class SpecialUndelete extends SpecialPage { $userLink = $this->getFileUser( $file ); $data = $this->msg( 'widthheight' )->numParams( $row->fa_width, $row->fa_height )->text(); $bytes = $this->msg( 'parentheses' ) - ->rawParams( $this->msg( 'nbytes' )->numParams( $row->fa_size )->text() ) + ->plaintextParams( $this->msg( 'nbytes' )->numParams( $row->fa_size )->text() ) ->plain(); $data = htmlspecialchars( $data . ' ' . $bytes ); $comment = $this->getFileComment( $file );