Using Message::rawParams() is something that should immediately
jump out as scary. While it's perfectly safe to do something like
wfMessage( 'foo' )->rawParams( $userControlledVar )->text() and
escape later, mixing the safe type of rawParams with the
dangerous type makes it more likely someone will miss something
when checking for security.
To reduce the likelyhood of confusion, prefer ->plaintextParams
for such cases, as it can be seen to be safe at a glance.
Change-Id: Ib067eb08ec934779ae743751306f1a0397bdf71c
if ( strval( $term ) !== '' ) {
$out->setPageTitle( $this->msg( 'searchresults' ) );
$out->setHTMLTitle( $this->msg( 'pagetitle' )
- ->rawParams( $this->msg( 'searchresults-title' )->rawParams( $term )->text() )
+ ->plaintextParams( $this->msg( 'searchresults-title' )->plaintextParams( $term )->text() )
->inContentLanguage()->text()
);
}
$userLink = $this->getFileUser( $file );
$data = $this->msg( 'widthheight' )->numParams( $row->fa_width, $row->fa_height )->text();
$bytes = $this->msg( 'parentheses' )
- ->rawParams( $this->msg( 'nbytes' )->numParams( $row->fa_size )->text() )
+ ->plaintextParams( $this->msg( 'nbytes' )->numParams( $row->fa_size )->text() )
->plain();
$data = htmlspecialchars( $data . ' ' . $bytes );
$comment = $this->getFileComment( $file );