* As required by the callers, "<nowiki>" is not used.
*
* @param string $text Text to be escaped
+ * @param-taint $text escapes_html
* @return string
*/
function wfEscapeWikiText( $text ) {
* the last time (this is for B/C and should be avoided).
*
* @return string HTML
+ * @suppress SecurityCheck-DoubleEscaped phan false positive
*/
public function toString( $format = null ) {
if ( $format === null ) {
* );
* @endcode
* @param string $templateName The name of the template
+ * @param-taint $templateName exec_misc
* @param mixed $args
+ * @param-taint $args none
* @param array $scopes
+ * @param-taint $scopes none
* @return string
*/
public function processTemplate( $templateName, $args, array $scopes = [] ) {
} else {
return MediaWikiServices::getInstance()->getLinkRenderer()->makeKnownLink(
$this->getTitle(),
- $cur,
+ new HtmlArmor( $cur ),
[],
[
'diff' => $this->getWikiPage()->getLatest(),
# Next row probably exists but is unknown, use an oldid=prev link
return $linkRenderer->makeKnownLink(
$this->getTitle(),
- $last,
+ new HtmlArmor( $last ),
[],
[
'diff' => $prevRev->getId(),
return $linkRenderer->makeKnownLink(
$this->getTitle(),
- $last,
+ new HtmlArmor( $last ),
[],
[
'diff' => $prevRev->getId(),
# Log timestamp
if ( $type == RC_LOG ) {
- $link = $rcObj->timestamp;
+ $link = htmlspecialchars( $rcObj->timestamp );
# Revision link
} elseif ( !ChangesList::userCan( $rcObj, Revision::DELETED_TEXT, $this->getUser() ) ) {
- $link = '<span class="history-deleted">' . $rcObj->timestamp . '</span> ';
+ $link = Html::element( 'span', [ 'class' => 'history-deleted' ], $rcObj->timestamp );
} else {
$link = $this->linkRenderer->makeKnownLink(
$rcObj->getTitle(),
- new HtmlArmor( $rcObj->timestamp ),
+ $rcObj->timestamp,
[],
$params
);
];
// timestamp is not really a link here, but is called timestampLink
// for consistency with EnhancedChangesListModifyLineData
- $data['timestampLink'] = $rcObj->timestamp;
+ $data['timestampLink'] = htmlspecialchars( $rcObj->timestamp );
# Article or log link
if ( $logType ) {
* Output some text. If we're running from web, escape the text first.
*
* @param string $str Text to output
+ * @param-taint $str escapes_html
*/
public function output( $str ) {
if ( $this->maintenance->isQuiet() ) {
if ( ( $this->getVar( '_InstallDone' ) || $this->getVar( '_UpgradeDone' ) )
&& $this->request->getVal( 'localsettings' )
) {
- $this->request->response()->header( 'Content-type: application/x-httpd-php' );
- $this->request->response()->header(
- 'Content-Disposition: attachment; filename="LocalSettings.php"'
- );
-
- $ls = InstallerOverrides::getLocalSettingsGenerator( $this );
- $rightsProfile = $this->rightsProfiles[$this->getVar( '_RightsProfile' )];
- foreach ( $rightsProfile as $group => $rightsArr ) {
- $ls->setGroupRights( $group, $rightsArr );
- }
- echo $ls->getText();
-
+ $this->outputLS();
return $this->session;
}
return WebRequest::detectServer();
}
+ /**
+ * Actually output LocalSettings.php for download
+ *
+ * @suppress SecurityCheck-XSS
+ */
+ private function outputLS() {
+ $this->request->response()->header( 'Content-type: application/x-httpd-php' );
+ $this->request->response()->header(
+ 'Content-Disposition: attachment; filename="LocalSettings.php"'
+ );
+
+ $ls = InstallerOverrides::getLocalSettingsGenerator( $this );
+ $rightsProfile = $this->rightsProfiles[$this->getVar( '_RightsProfile' )];
+ foreach ( $rightsProfile as $group => $rightsArr ) {
+ $ls->setGroupRights( $group, $rightsArr );
+ }
+ echo $ls->getText();
+ }
+
/**
* Output stylesheet for web installer pages
*/
class TransformTooBigImageAreaError extends MediaTransformError {
function __construct( $params, $maxImageArea ) {
$msg = wfMessage( 'thumbnail_toobigimagearea' );
- $msg->rawParams(
+ $msg->params(
$msg->getLanguage()->formatComputingNumbers( $maxImageArea, 1000, "size-$1pixel" )
);
// in the mediawiki.page.image.pagination module
$link = Linker::linkKnown(
$this->getTitle(),
- $label,
+ htmlspecialchars( $label ),
[],
[ 'page' => $page - 1 ]
);
$label = $this->getContext()->msg( 'imgmultipagenext' )->text();
$link = Linker::linkKnown(
$this->getTitle(),
- $label,
+ htmlspecialchars( $label ),
[],
[ 'page' => $page + 1 ]
);
* Text is treated roughly as 'nowiki' wrapped in an HTML 'pre' tag;
* valid HTML attributes are passed on.
*
+ * Uses custom html escaping which phan-taint-check won't recognize
+ * hence we suppress the error.
+ * @suppress SecurityCheck-XSS
+ *
* @param string $text
* @param array $attribs
* @param Parser $parser
*
* Uses undocumented extended tag hook return values, introduced in r61913.
*
+ * @suppress SecurityCheck-XSS
* @param string $content
* @param array $attributes
* @param Parser $parser
*
* Uses undocumented extended tag hook return values, introduced in r61913.
*
+ * Uses custom html escaping which phan-taint-check won't recognize
+ * hence we suppress the error.
+ * @suppress SecurityCheck-XSS
+ *
* @param string $content
* @param array $attributes
* @param Parser $parser
protected function showTotal( BlockListPager $pager ) {
$out = $this->getOutput();
$out->addHTML(
- Html::element( 'div', [ 'style' => 'font-weight: bold;' ],
+ Html::rawElement( 'div', [ 'style' => 'font-weight: bold;' ],
$this->msg( 'autoblocklist-total-autoblocks', $pager->getTotalAutoblocks() )->parse() )
. "\n"
);
# Not necessary in a standard installation without such extensions enabled
if ( count( $otherAutoblockLink ) ) {
$out->addHTML(
- Html::element( 'h2', [], $this->msg( 'autoblocklist-localblocks',
+ Html::rawElement( 'h2', [], $this->msg( 'autoblocklist-localblocks',
$pager->getNumRows() )->parse() )
. "\n"
);
[],
$linkRenderer->makeLink( $mimeSearch, $mime )
);
- $row .= Html::element(
+ $row .= Html::rawElement(
'td',
[],
$this->getExtensionList( $mime )
$extArray = explode( ' ', $exts );
$extArray = array_unique( $extArray );
foreach ( $extArray as &$ext ) {
- $ext = '.' . $ext;
+ $ext = htmlspecialchars( '.' . $ext );
}
return $this->getLanguage()->commaList( $extArray );
}
/**
+ * The array keys (but not the array values) are used in sql. Phan
+ * gets confused by this, so mark this method as being ok for sql in general.
+ * @return-taint onlysafefor_sql
* @return array
*/
function getFieldNames() {