$string = $this->fetchMessage();
if ( $string === false ) {
- if ( $this->format === 'plain' || $this->format === 'text' ) {
- return '<' . $this->key . '>';
- }
- return '<' . htmlspecialchars( $this->key ) . '>';
+ // Err on the side of safety, ensure that the output
+ // is always html safe in the event the message key is
+ // missing, since in that case its highly likely the
+ // message key is user-controlled.
+ // '⧼' is used instead of '<' to side-step any
+ // double-escaping issues.
+ return '⧼' . htmlspecialchars( $this->key ) . '⧽';
}
# Replace $* with a list of parameters for &uselang=qqx.
!! wikitext
{{int:var}}
!! html
-<p><var>
+<p>⧼var⧽
</p>
!! end
*/
public function testToStringKey() {
$this->assertEquals( 'Main Page', wfMessage( 'mainpage' )->text() );
- $this->assertEquals( '<i-dont-exist-evar>', wfMessage( 'i-dont-exist-evar' )->text() );
- $this->assertEquals( '<i<dont>exist-evar>', wfMessage( 'i<dont>exist-evar' )->text() );
- $this->assertEquals( '<i-dont-exist-evar>', wfMessage( 'i-dont-exist-evar' )->plain() );
- $this->assertEquals( '<i<dont>exist-evar>', wfMessage( 'i<dont>exist-evar' )->plain() );
- $this->assertEquals( '<i-dont-exist-evar>', wfMessage( 'i-dont-exist-evar' )->escaped() );
+ $this->assertEquals( '⧼i-dont-exist-evar⧽', wfMessage( 'i-dont-exist-evar' )->text() );
+ $this->assertEquals( '⧼i<dont>exist-evar⧽', wfMessage( 'i<dont>exist-evar' )->text() );
+ $this->assertEquals( '⧼i-dont-exist-evar⧽', wfMessage( 'i-dont-exist-evar' )->plain() );
+ $this->assertEquals( '⧼i<dont>exist-evar⧽', wfMessage( 'i<dont>exist-evar' )->plain() );
+ $this->assertEquals( '⧼i-dont-exist-evar⧽', wfMessage( 'i-dont-exist-evar' )->escaped() );
$this->assertEquals(
- '<i<dont>exist-evar>',
+ '⧼i<dont>exist-evar⧽',
wfMessage( 'i<dont>exist-evar' )->escaped()
);
}
public static function provideToString() {
return [
[ 'mainpage', 'Main Page' ],
- [ 'i-dont-exist-evar', '<i-dont-exist-evar>' ],
- [ 'i-dont-exist-evar', '<i-dont-exist-evar>', 'escaped' ],
+ [ 'i-dont-exist-evar', '⧼i-dont-exist-evar⧽' ],
+ [ 'i-dont-exist-evar', '⧼i-dont-exist-evar⧽', 'escaped' ],
+ [ 'script>alert(1)</script', '⧼script>alert(1)</script⧽', 'escaped' ],
+ [ 'script>alert(1)</script', '⧼script>alert(1)</script⧽' ],
];
}
$status->warning( 'fooBar!' );
$testCases['1StringWarning'] = [
$status,
- "<fooBar!>",
+ "⧼fooBar!⧽",
"(wrap-short: (fooBar!))",
- "<p><fooBar!>\n</p>",
+ "<p>⧼fooBar!⧽\n</p>",
"<p>(wrap-short: (fooBar!))\n</p>",
];
$status->warning( 'fooBar2!' );
$testCases['2StringWarnings'] = [
$status,
- "* <fooBar!>\n* <fooBar2!>\n",
+ "* ⧼fooBar!⧽\n* ⧼fooBar2!⧽\n",
"(wrap-long: * (fooBar!)\n* (fooBar2!)\n)",
- "<ul><li> <fooBar!></li>\n<li> <fooBar2!></li></ul>\n",
+ "<ul><li> ⧼fooBar!⧽</li>\n<li> ⧼fooBar2!⧽</li></ul>\n",
"<p>(wrap-long: * (fooBar!)\n</p>\n<ul><li> (fooBar2!)</li></ul>\n<p>)\n</p>",
];
$status->warning( new Message( 'fooBar!', [ 'foo', 'bar' ] ) );
$testCases['1MessageWarning'] = [
$status,
- "<fooBar!>",
+ "⧼fooBar!⧽",
"(wrap-short: (fooBar!: foo, bar))",
- "<p><fooBar!>\n</p>",
+ "<p>⧼fooBar!⧽\n</p>",
"<p>(wrap-short: (fooBar!: foo, bar))\n</p>",
];
$status->warning( new Message( 'fooBar2!' ) );
$testCases['2MessageWarnings'] = [
$status,
- "* <fooBar!>\n* <fooBar2!>\n",
+ "* ⧼fooBar!⧽\n* ⧼fooBar2!⧽\n",
"(wrap-long: * (fooBar!: foo, bar)\n* (fooBar2!)\n)",
- "<ul><li> <fooBar!></li>\n<li> <fooBar2!></li></ul>\n",
+ "<ul><li> ⧼fooBar!⧽</li>\n<li> ⧼fooBar2!⧽</li></ul>\n",
"<p>(wrap-long: * (fooBar!: foo, bar)\n</p>\n<ul><li> (fooBar2!)</li></ul>\n<p>)\n</p>",
];