From fc6d8a9cdb90e753ea05f2da9b32148456ecccc1 Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Fri, 27 Oct 2017 14:26:33 +0000 Subject: [PATCH] Prefer using plaintextParams instead of rawParams where possible Using Message::rawParams() is something that should immediately jump out as scary. While it's perfectly safe to do something like wfMessage( 'foo' )->rawParams( $userControlledVar )->text() and escape later, mixing the safe type of rawParams with the dangerous type makes it more likely someone will miss something when checking for security. To reduce the likelyhood of confusion, prefer ->plaintextParams for such cases, as it can be seen to be safe at a glance. Change-Id: Ib067eb08ec934779ae743751306f1a0397bdf71c --- includes/specials/SpecialSearch.php | 2 +- includes/specials/SpecialUndelete.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php index 85b4572bd5..09210e4379 100644 --- a/includes/specials/SpecialSearch.php +++ b/includes/specials/SpecialSearch.php @@ -529,7 +529,7 @@ class SpecialSearch extends SpecialPage { if ( strval( $term ) !== '' ) { $out->setPageTitle( $this->msg( 'searchresults' ) ); $out->setHTMLTitle( $this->msg( 'pagetitle' ) - ->rawParams( $this->msg( 'searchresults-title' )->rawParams( $term )->text() ) + ->plaintextParams( $this->msg( 'searchresults-title' )->plaintextParams( $term )->text() ) ->inContentLanguage()->text() ); } diff --git a/includes/specials/SpecialUndelete.php b/includes/specials/SpecialUndelete.php index 740207d6b9..9cb34073a2 100644 --- a/includes/specials/SpecialUndelete.php +++ b/includes/specials/SpecialUndelete.php @@ -974,7 +974,7 @@ class SpecialUndelete extends SpecialPage { $userLink = $this->getFileUser( $file ); $data = $this->msg( 'widthheight' )->numParams( $row->fa_width, $row->fa_height )->text(); $bytes = $this->msg( 'parentheses' ) - ->rawParams( $this->msg( 'nbytes' )->numParams( $row->fa_size )->text() ) + ->plaintextParams( $this->msg( 'nbytes' )->numParams( $row->fa_size )->text() ) ->plain(); $data = htmlspecialchars( $data . ' ' . $bytes ); $comment = $this->getFileComment( $file ); -- 2.20.1