From 5c13a000cecefc99bc945911672d52a7f26a3042 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Thu, 16 Feb 2006 20:53:45 +0000 Subject: [PATCH] * (bug 4502, 5017) Don't render potentially hostile deleted page contents on Special:Undelete by default; show source, with an optional preview. The revisions list no longer shows the latest text by default, so it can still be operated if the text is hostile. --- RELEASE-NOTES | 4 +++ includes/SpecialUndelete.php | 50 +++++++++++++++++++++++++++++++++--- 2 files changed, 50 insertions(+), 4 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 5c38922b18..b5a62f6534 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -615,6 +615,10 @@ fully support the editing toolbar, but was found to be too confusing. * Blocking some Unicode whitespace characters in usernames. Should check if some or all should be blocked from all page titles. * Unknown log types no longer throw notices everywhere in RecentChanges +* (bug 4502, 5017) Don't render potentially hostile deleted page contents + on Special:Undelete by default; show source, with an optional preview. + The revisions list no longer shows the latest text by default, so it can + still be operated if the text is hostile. === Caveats === diff --git a/includes/SpecialUndelete.php b/includes/SpecialUndelete.php index 3a3dabaa81..7d55e0a21e 100644 --- a/includes/SpecialUndelete.php +++ b/includes/SpecialUndelete.php @@ -311,9 +311,12 @@ class UndeleteForm { $this->mAction = $request->getText( 'action' ); $this->mTarget = $request->getText( 'target' ); $this->mTimestamp = $request->getText( 'timestamp' ); - $this->mRestore = $request->getCheck( 'restore' ) && - $request->wasPosted() && + + $posted = $request->wasPosted() && $wgUser->matchEditToken( $request->getVal( 'wpEditToken' ) ); + $this->mRestore = $request->getCheck( 'restore' ) && $posted; + $this->mPreview = $request->getCheck( 'preview' ) && $posted; + if( $par != "" ) { $this->mTarget = $par; } @@ -399,7 +402,46 @@ class UndeleteForm { $wgOut->setPagetitle( wfMsg( "undeletepage" ) ); $wgOut->addWikiText( "(" . wfMsg( "undeleterevision", - $wgLang->date( $timestamp ) ) . ")\n
\n" . $text ); + $wgLang->date( $timestamp ) ) . ")\n" ); + + if( $this->mPreview ) { + $wgOut->addHtml( "
\n" ); + $wgOut->addWikiText( $text ); + } + + $self = Title::makeTitle( NS_SPECIAL, "Undelete" ); + + $wgOut->addHtml( + wfElement( 'textarea', array( + 'readonly' => true, + 'cols' => intval( $wgUser->getOption( 'cols' ) ), + 'rows' => intval( $wgUser->getOption( 'rows' ) ) ), + $text ) . + wfOpenElement( 'div' ) . + wfOpenElement( 'form', array( + 'method' => 'post', + 'action' => $self->getLocalURL( "action=submit" ) ) ) . + wfElement( 'input', array( + 'type' => 'hidden', + 'name' => 'target', + 'value' => $this->mTargetObj->getPrefixedUrl() ) ) . + wfElement( 'input', array( + 'type' => 'hidden', + 'name' => 'timestamp', + 'value' => $timestamp ) ) . + wfElement( 'input', array( + 'type' => 'hidden', + 'name' => 'wpEditToken', + 'value' => $wgUser->editToken() ) ) . + wfElement( 'input', array( + 'type' => 'hidden', + 'name' => 'preview', + 'value' => '1' ) ) . + wfElement( 'input', array( + 'type' => 'submit', + 'value' => wfMsg( 'preview' ) ) ) . + wfCloseElement( 'form' ) . + wfCloseElement( 'div' ) ); } /* private */ function showHistory() { @@ -419,7 +461,7 @@ class UndeleteForm { return; } if ( $this->mAllowed ) { - $wgOut->addWikiText( wfMsg( "undeletehistory" ) . "\n----\n" . $text ); + $wgOut->addWikiText( wfMsg( "undeletehistory" ) ); } else { $wgOut->addWikiText( wfMsg( "undeletehistorynoadmin" ) ); } -- 2.20.1