/**
* convert text to different variants of a language.
*
+ * @warning Glossary state is maintained between calls. This means
+ * if you pass unescaped text to this method it can cause an XSS
+ * in later calls to this method, even if the later calls have properly
+ * escaped the input. Never feed this method user controlled text that
+ * is not properly escaped!
* @param string $text Content that has been already escaped for use in HTML
* @return string HTML
*/
* -{flags|code1:text1;code2:text2;...}- or
* -{text}- in which case no conversion should take place for text
*
- * @param string $text Text to be converted
- * @return string Converted text
+ * @warning Glossary state is maintained between calls. Never feed this
+ * method input that hasn't properly been escaped as it may result in
+ * an XSS in subsequent calls, even if those subsequent calls properly
+ * escape things.
+ * @param string $text Text to be converted, already html escaped.
+ * @return string Converted text (html)
*/
public function convert( $text ) {
$variant = $this->getPreferredVariant();
/**
* Same as convert() except a extra parameter to custom variant.
*
- * @param string $text Text to be converted
+ * @param string $text Text to be converted, already html escaped
+ * @param-taint $text exec_html
* @param string $variant The target variant code
* @return string Converted text
+ * @return-taint escaped
*/
public function convertTo( $text, $variant ) {
global $wgDisableLangConversion;