Dan-nl has uploaded a new change for review.
https://gerrit.wikimedia.org/r/96510
Change subject: input-field-size
......................................................................
input-field-size
aaron schulz requested that we validate input sizes for sanity. i also added a
method to
XmlDetectHandler.php that will display field labels for mediawiki template
parameters
without the - or _ and without gwtoolset- for script added gwtoolset fields.
Change-Id: If02a21bbb2c35210c778b40d6fe1084debcacb3b
---
M GWToolset.i18n.php
M includes/Handlers/Forms/MetadataDetectHandler.php
M includes/Handlers/Forms/MetadataMappingHandler.php
M includes/Handlers/Xml/XmlDetectHandler.php
M includes/functions/functions.php
5 files changed, 93 insertions(+), 43 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/GWToolset
refs/changes/10/96510/1
diff --git a/GWToolset.i18n.php b/GWToolset.i18n.php
index 2baae58..3cbca02 100644
--- a/GWToolset.i18n.php
+++ b/GWToolset.i18n.php
@@ -43,6 +43,7 @@
'gwtoolset-no-accepted-types' => 'No accepted types provided',
'gwtoolset-no-callback' => 'No callback passed to this method.',
'gwtoolset-no-comment' => "<code>user_options['comment']</code> not
set.",
+ 'gwtoolset-no-field-size' => 'No field size was specified for the field
($1).',
'gwtoolset-no-file-backend-name' => 'No file backend name provided.',
'gwtoolset-no-file-backend-container' => 'No file backend container
name provided.',
'gwtoolset-no-file-url' => 'No <code>file_url</code> provided to
parse.',
@@ -349,6 +350,7 @@
'gwtoolset-no-callback' => 'Hint to the developer that appears when no
callback is given.',
'gwtoolset-no-change' => 'Appears when there has been no change to a
wiki page.',
'gwtoolset-no-comment' => "Hint to the developer that appears when
user_options['comment'] is not set.",
+ 'gwtoolset-no-field-size' => 'Developer message that appears when no
field size was specified for the field ($1).',
'gwtoolset-no-file' => 'User error message that appears when no file
was received by the upload form. Parameter $1, when provided is a hint to the
developer as to where the problem occured in the application.',
'gwtoolset-no-file-backend-name' => 'Message that appears when a web
admin does not provide a file backend name.',
'gwtoolset-no-file-backend-container' => 'Message that appears wher no
file backend container name was provided.',
diff --git a/includes/Handlers/Forms/MetadataDetectHandler.php
b/includes/Handlers/Forms/MetadataDetectHandler.php
index b347782..8779913 100644
--- a/includes/Handlers/Forms/MetadataDetectHandler.php
+++ b/includes/Handlers/Forms/MetadataDetectHandler.php
@@ -27,13 +27,13 @@
* @var {array}
*/
protected $_expected_post_fields = array(
- 'gwtoolset-form',
- 'MAX_FILE_SIZE',
- 'gwtoolset-mediawiki-template-name',
- 'gwtoolset-metadata-file-upload',
- 'gwtoolset-metadata-mapping-url',
- 'gwtoolset-record-element-name',
- 'wpEditToken'
+ array( 'gwtoolset-form' => array( 'size' => 255 ) ),
+ array( 'MAX_FILE_SIZE' => array( 'size' => 255 ) ),
+ array( 'gwtoolset-mediawiki-template-name' => array( 'size' =>
255 ) ),
+ array( 'gwtoolset-metadata-file-upload' => array( 'size' => 255
) ),
+ array( 'gwtoolset-metadata-mapping-url' => array( 'size' => 255
) ),
+ array( 'gwtoolset-record-element-name' => array( 'size' => 255
) ),
+ array( 'wpEditToken' => array( 'size' => 255 ) )
);
/**
diff --git a/includes/Handlers/Forms/MetadataMappingHandler.php
b/includes/Handlers/Forms/MetadataMappingHandler.php
index 91c545a..4d05d46 100644
--- a/includes/Handlers/Forms/MetadataMappingHandler.php
+++ b/includes/Handlers/Forms/MetadataMappingHandler.php
@@ -38,25 +38,25 @@
* @var {array}
*/
protected $_expected_post_fields = array(
- 'gwtoolset-category',
- 'gwtoolset-category-phrase',
- 'gwtoolset-category-metadata',
- 'gwtoolset-form',
- 'gwtoolset-preview',
- 'gwtoolset-mediawiki-template-name',
- 'gwtoolset-metadata-file-mwstore',
- 'gwtoolset-metadata-file-sha1',
- 'gwtoolset-metadata-file-url',
- 'gwtoolset-metadata-mapping-name',
- 'gwtoolset-metadata-mapping-subpage',
- 'gwtoolset-metadata-mapping-url',
- 'gwtoolset-metadata-namespace',
- 'gwtoolset-partner-template-url',
- 'gwtoolset-record-begin',
- 'gwtoolset-record-count',
- 'gwtoolset-record-element-name',
- 'wpEditToken',
- 'wpSummary'
+ array( 'gwtoolset-category' => array( 'size' => 255 ) ),
+ array( 'gwtoolset-category-phrase' => array( 'size' => 255 ) ),
+ array( 'gwtoolset-category-metadata' => array( 'size' => 255 )
),
+ array( 'gwtoolset-form' => array( 'size' => 255 ) ),
+ array( 'gwtoolset-preview' => array( 'size' => 255 ) ),
+ array( 'gwtoolset-mediawiki-template-name' => array( 'size' =>
255 ) ),
+ array( 'gwtoolset-metadata-file-mwstore' => array( 'size' =>
255 ) ),
+ array( 'gwtoolset-metadata-file-sha1' => array( 'size' => 255 )
),
+ array( 'gwtoolset-metadata-file-url' => array( 'size' => 255 )
),
+ array( 'gwtoolset-metadata-mapping-name' => array( 'size' =>
255 ) ),
+ array( 'gwtoolset-metadata-mapping-subpage' => array( 'size' =>
255 ) ),
+ array( 'gwtoolset-metadata-mapping-url' => array( 'size' => 255
) ),
+ array( 'gwtoolset-metadata-namespace' => array( 'size' => 255 )
),
+ array( 'gwtoolset-partner-template-url' => array( 'size' => 255
) ),
+ array( 'gwtoolset-record-begin' => array( 'size' => 255 ) ),
+ array( 'gwtoolset-record-count' => array( 'size' => 255 ) ),
+ array( 'gwtoolset-record-element-name' => array( 'size' => 255
) ),
+ array( 'wpEditToken' => array( 'size' => 255 ) ),
+ array( 'wpSummary' => array( 'size' => 255 ) )
);
/**
@@ -473,7 +473,12 @@
$this->_MediawikiTemplate->getMediaWikiTemplate(
$_POST['gwtoolset-mediawiki-template-name'] );
foreach ( $this->_MediawikiTemplate->mediawiki_template_array
as $key => $value ) {
- $this->_expected_post_fields[] = Filter::evaluate( $key
);
+ // MediaWiki template parameters sometimes contain
spaces
+ $key = \GWToolset\normalizeSpace( $key );
+
+ $this->_expected_post_fields[] = array(
+ Filter::evaluate( $key ) => array( 'size' =>
255 )
+ );
}
$this->_whitelisted_post = \GWToolset\getWhitelistedPost(
$this->_expected_post_fields );
diff --git a/includes/Handlers/Xml/XmlDetectHandler.php
b/includes/Handlers/Xml/XmlDetectHandler.php
index 783175a..f82886b 100644
--- a/includes/Handlers/Xml/XmlDetectHandler.php
+++ b/includes/Handlers/Xml/XmlDetectHandler.php
@@ -193,7 +193,7 @@
return sprintf(
$template,
Filter::evaluate( $parameter_as_id ),
- Filter::evaluate( $parameter ),
+ $this->getFormLabel( $parameter ),
$required,
Filter::evaluate( $parameter ),
Filter::evaluate( $parameter_as_id ),
@@ -224,7 +224,7 @@
return sprintf(
$template,
Filter::evaluate( $parameter_as_id ),
- Filter::evaluate( $parameter ),
+ $this->getFormLabel( $parameter ),
$required,
Filter::evaluate( $parameter ),
Filter::evaluate( $parameter_as_id ),
@@ -256,6 +256,25 @@
}
/**
+ * normalizes form field names so that - _ and gwtoolset are removed
from the form label
+ *
+ * @param {string}
+ *
+ * @return {string}
+ * the string has been sanitized
+ */
+ protected function getFormLabel( $parameter ) {
+ $result = Filter::evaluate( $parameter );
+ $result = str_replace(
+ array( '_', '-', 'gwtoolset' ),
+ array( ' ', ' ', '' ),
+ $result
+ );
+
+ return $result;
+ }
+
+ /**
* a decorator method that creates table rows based on the example
* DOMElement, $this->_metadata_example_dom_element. the table rows
* are extracted metadata elements and their values
diff --git a/includes/functions/functions.php b/includes/functions/functions.php
index c7786b5..12a7fb4 100644
--- a/includes/functions/functions.php
+++ b/includes/functions/functions.php
@@ -109,6 +109,7 @@
if ( empty( $page_title ) ) {
throw new MWException(
+ __METHOD__ . ': ' .
wfMessage( 'gwtoolset-developer-issue' )
->params( wfMessage( 'gwtoolset-no-page-title'
)->escaped() )
->parse()
@@ -156,10 +157,15 @@
/**
* cycles over the $_POST and returns a “whitelisted-post” that:
* - contains only the posted fields expected
- * - sanitizes those fields
- * - if the field is an array, field[], only goes into it one level
+ * - if the field is an array, only one level is applied
+ * - sanitizes those fields with
+ * - FILTER_SANITIZE_STRING
+ * @see http://php.net/manual/en/filter.filters.sanitize.php
+ * - shorterns strings > $metadata['size'], the max size expected of a field
value
*
* @param {array} $expected_post_fields
+ *
+ * @throws {MWException}
*
* @return {array}
* the values within the array have been sanitized
@@ -167,21 +173,39 @@
function getWhitelistedPost( array $expected_post_fields = array() ) {
$result = array();
- foreach ( $expected_post_fields as $field ) {
- $field = normalizeSpace( $field );
+ foreach ( $expected_post_fields as $metadata ) {
+ $field = key( $metadata );
- if ( isset( $_POST[$field] ) ) {
- if ( is_array( $_POST[$field] ) ) {
- $result[$field] = array();
- foreach ( $_POST[$field] as $subfield )
{
- // avoid field[][]
- if ( !is_array( $subfield ) ) {
- $result[$field][] =
Filter::evaluate( $subfield );
- }
+ if ( !isset( $_POST[$field] ) ) {
+ continue;
+ }
+
+ if ( !isset( $metadata[$field]['size'] ) ) {
+ throw new MWException(
+ __METHOD__ . ': ' .
+ wfMessage( 'gwtoolset-developer-issue' )
+ ->params(
+ wfMessage(
'gwtoolset-no-field-size' )
+ ->params(
$field )
+ ->escaped()
+ )
+ ->parse()
+ );
+ }
+
+ if ( is_array( $_POST[$field] ) ) {
+ $result[$field] = array();
+
+ foreach ( $_POST[$field] as $value ) {
+ // avoid field[][]
+ if ( !is_array( $value ) ) {
+ $value = substr( $value, 0,
$metadata[$field]['size'] );
+ $result[$field][] =
Filter::evaluate( $value );
}
- } else {
- $result[$field] = Filter::evaluate(
$_POST[$field] );
}
+ } else {
+ $value = substr( $_POST[$field], 0,
$metadata[$field]['size'] );
+ $result[$field] = Filter::evaluate( $value );
}
}
--
To view, visit https://gerrit.wikimedia.org/r/96510
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: If02a21bbb2c35210c778b40d6fe1084debcacb3b
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/GWToolset
Gerrit-Branch: master
Gerrit-Owner: Dan-nl <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
