if ( $html !== null ) {
$text = new HtmlArmor( $html );
} else {
- $text = $html; // null
+ $text = null;
}
if ( in_array( 'known', $options, true ) ) {
/**
* Make an external link
+ *
* @since 1.16.3. $title added in 1.21
* @param string $url URL to link to
+ * @param-taint $url escapes_html
* @param string $text Text of link
+ * @param-taint $text escapes_html
* @param bool $escape Do we escape the link text?
+ * @param-taint $escape none
* @param string $linktype Type of external link. Gets added to the classes
+ * @param-taint $linktype escapes_html
* @param array $attribs Array of extra attributes to <a>
+ * @param-taint $attribs escapes_html
* @param Title|null $title Title object used for title specific link attributes
+ * @param-taint $title none
* @return string
*/
public static function makeExternalLink( $url, $text, $escape = true,
* good tags like \<i\> will be dropped entirely.
*
* @param string|Message $name
+ * @param-taint $name tainted
+ * Phan-taint-check gets very confused by $name being either a string or a Message
*/
public function setPageTitle( $name ) {
if ( $name instanceof Message ) {
# change "<i>foo&bar</i>" to "foo&bar"
$this->setHTMLTitle(
- $this->msg( 'pagetitle' )->rawParams( Sanitizer::stripAllTags( $nameWithTags ) )
+ $this->msg( 'pagetitle' )->plaintextParams( Sanitizer::stripAllTags( $nameWithTags ) )
->inContentLanguage()
);
}
return 'application/vnd.php.serialized';
}
+ /**
+ * @suppress SecurityCheck-XSS Output type is not text/html
+ */
public function execute() {
$params = $this->extractRequestParams();