if ( $html !== null ) {
$text = new HtmlArmor( $html );
} else {
- $text = $html; // null
+ $text = null;
}
if ( in_array( 'known', $options, true ) ) {
/**
* Make an external link
+ *
* @since 1.16.3. $title added in 1.21
* @param string $url URL to link to
+ * @param-taint $url escapes_html
* @param string $text Text of link
+ * @param-taint $text escapes_html
* @param bool $escape Do we escape the link text?
+ * @param-taint $escape none
* @param string $linktype Type of external link. Gets added to the classes
+ * @param-taint $linktype escapes_html
* @param array $attribs Array of extra attributes to <a>
+ * @param-taint $attribs escapes_html
* @param Title|null $title Title object used for title specific link attributes
+ * @param-taint $title none
* @return string
*/
public static function makeExternalLink( $url, $text, $escape = true,
* good tags like \<i\> will be dropped entirely.
*
* @param string|Message $name
+ * @param-taint $name tainted
+ * Phan-taint-check gets very confused by $name being either a string or a Message
*/
public function setPageTitle( $name ) {
if ( $name instanceof Message ) {
# change "<i>foo&bar</i>" to "foo&bar"
$this->setHTMLTitle(
- $this->msg( 'pagetitle' )->rawParams( Sanitizer::stripAllTags( $nameWithTags ) )
+ $this->msg( 'pagetitle' )->plaintextParams( Sanitizer::stripAllTags( $nameWithTags ) )
->inContentLanguage()
);
}
return 'application/vnd.php.serialized';
}
+ /**
+ * @suppress SecurityCheck-XSS Output type is not text/html
+ */
public function execute() {
$params = $this->extractRequestParams();
foreach ( $res as $row ) {
$this->author_list .= "<contributor>" .
"<username>" .
- htmlentities( $row->rev_user_text ) .
+ htmlspecialchars( $row->rev_user_text ) .
"</username>" .
"<id>" .
- $row->rev_user .
+ ( (int)$row->rev_user ) .
"</id>" .
"</contributor>";
}
$row .= "<td $selected style='white-space: nowrap;'>";
if ( !$file->userCan( File::DELETED_FILE, $user ) ) {
# Don't link to unviewable files
- $row .= '<span class="history-deleted">'
- . $lang->userTimeAndDate( $timestamp, $user ) . '</span>';
+ $row .= Html::element( 'span', [ 'class' => 'history-deleted' ],
+ $lang->userTimeAndDate( $timestamp, $user )
+ );
} elseif ( $file->isDeleted( File::DELETED_FILE ) ) {
+ $timeAndDate = htmlspecialchars( $lang->userTimeAndDate( $timestamp, $user ) );
if ( $local ) {
$this->preventClickjacking();
$revdel = SpecialPage::getTitleFor( 'Revisiondelete' );
# Make a link to review the image
$url = Linker::linkKnown(
$revdel,
- $lang->userTimeAndDate( $timestamp, $user ),
+ $timeAndDate,
[],
[
'target' => $this->title->getPrefixedText(),
]
);
} else {
- $url = $lang->userTimeAndDate( $timestamp, $user );
+ $url = $timeAndDate;
}
$row .= '<span class="history-deleted">' . $url . '</span>';
} elseif ( !$file->exists() ) {
- $row .= '<span class="mw-file-missing">'
- . $lang->userTimeAndDate( $timestamp, $user ) . '</span>';
+ $row .= Html::element( 'span', [ 'class' => 'mw-file-missing' ],
+ $lang->userTimeAndDate( $timestamp, $user )
+ );
} else {
$url = $iscur ? $this->current->getUrl() : $this->current->getArchiveUrl( $img );
$row .= Xml::element(
$row .= '<td><span class="history-deleted">' .
$this->msg( 'rev-deleted-comment' )->escaped() . '</span></td>';
} else {
- $row .=
- '<td dir="' . MediaWikiServices::getInstance()->getContentLanguage()->getDir() .
- '">' . Linker::formatComment( $description, $this->title ) . '</td>';
+ $contLang = MediaWikiServices::getInstance()->getContentLanguage();
+ $row .= Html::rawElement(
+ 'td',
+ [ 'dir' => $contLang->getDir() ],
+ Linker::formatComment( $description, $this->title )
+ );
}
$rowClass = null;
'span',
[ 'class' => 'rclistfrom' ],
$this->makeOptionsLink(
- $this->msg( 'rclistfrom' )->rawParams( $now, $timenow, $datenow )->parse(),
+ $this->msg( 'rclistfrom' )->plaintextParams( $now, $timenow, $datenow )->parse(),
[ 'from' => $timestamp ],
$nondefaults
)
$url = str_replace( '$1', urlencode( $term ), $searchForwardUrl );
$out->redirect( $url );
} else {
- $out->addHTML(
- "<fieldset>" .
- "<legend>" .
- $this->msg( 'search-external' )->escaped() .
- "</legend>" .
- "<p class='mw-searchdisabled'>" .
- $this->msg( 'searchdisabled' )->escaped() .
- "</p>" .
- $this->msg( 'googlesearch' )->rawParams(
- htmlspecialchars( $term ),
- 'UTF-8',
- $this->msg( 'searchbutton' )->escaped()
- )->text() .
- "</fieldset>"
- );
+ $this->showGoogleSearch( $term );
}
return;
$this->showResults( $term );
}
+ /**
+ * Output a google search form if search is disabled
+ *
+ * @param string $term Search term
+ * @todo FIXME Maybe we should get rid of this raw html message at some future time
+ * @suppress SecurityCheck-XSS
+ */
+ private function showGoogleSearch( $term ) {
+ $this->getOutput()->addHTML(
+ "<fieldset>" .
+ "<legend>" .
+ $this->msg( 'search-external' )->escaped() .
+ "</legend>" .
+ "<p class='mw-searchdisabled'>" .
+ $this->msg( 'searchdisabled' )->escaped() .
+ "</p>" .
+ $this->msg( 'googlesearch' )->rawParams(
+ htmlspecialchars( $term ),
+ 'UTF-8',
+ $this->msg( 'searchbutton' )->escaped()
+ )->text() .
+ "</fieldset>"
+ );
+ }
+
/**
* Set up basic search parameters from the request and user settings.
*