* they should be carefully handled in the function processing the
* request.
*
+ * phan-taint-check triggers as it is not smart enough to understand
+ * the early return if func_name not in AjaxExportList.
+ * @suppress SecurityCheck-XSS
* @param User $user
*/
function performAction( User $user ) {
if ( $this->summary === '' ) {
$cleanSectionTitle = $wgParser->stripSectionName( $this->sectiontitle );
return $this->context->msg( 'newsectionsummary' )
- ->rawParams( $cleanSectionTitle )->inContentLanguage()->text();
+ ->plaintextParams( $cleanSectionTitle )->inContentLanguage()->text();
}
} elseif ( $this->summary !== '' ) {
$sectionanchor = $this->guessSectionName( $this->summary );
# in the revision summary.
$cleanSummary = $wgParser->stripSectionName( $this->summary );
return $this->context->msg( 'newsectionsummary' )
- ->rawParams( $cleanSummary )->inContentLanguage()->text();
+ ->plaintextParams( $cleanSummary )->inContentLanguage()->text();
}
return $this->summary;
}
* Determine form errors to display and their classes
* @since 1.20
*
+ * phan-taint-check gets confused with returning both classes
+ * and errors and thinks double escaping is happening, so specify
+ * that return value has no taint.
+ *
* @param string $value The value of the input
* @return array array( $errors, $errorClass )
+ * @return-taint none
*/
public function getErrorsAndErrorClass( $value ) {
$errors = $this->validate( $value, $this->mParent->mFieldData );
* Formats one or more errors as accepted by field validation-callback.
*
* @param string|Message|array $errors Array of strings or Message instances
+ * To work around limitations in phan-taint-check the calling
+ * class has taintedness disabled. So instead we pretend that
+ * this method outputs html, since the result is eventually
+ * outputted anyways without escaping and this allows us to verify
+ * stuff is safe even though the caller has taintedness cleared.
+ * @param-taint $errors exec_html
* @return string HTML
* @since 1.18
*/