jenkins-bot has submitted this change and it was merged.
Change subject: New template helper: escapeContent
......................................................................
New template helper: escapeContent
The content field in our api responses varies depending on what
was requested, it can be html, wikitext, or plaintext. Previously
we were using {{html content}} in some places, but since this
could potentially be wikitext or plaintext that opens up XSS vectors.
This patch replaces
{{html content}}
with
{{escapeContent contentFormat content}}
Which looks at the reported contentFormat and escapes appropriately
Change-Id: If82e1fa29da464707604646e1d1cfa220b49a5ba
---
M handlebars/compiled/flow_block_header.handlebars.php
M handlebars/compiled/flow_block_header_edit.handlebars.php
M handlebars/compiled/flow_block_header_single_view.handlebars.php
M handlebars/compiled/flow_block_topic.handlebars.php
M handlebars/compiled/flow_block_topic_edit_post.handlebars.php
M handlebars/compiled/flow_block_topic_moderate_post.handlebars.php
M handlebars/compiled/flow_block_topic_moderate_topic.handlebars.php
M handlebars/compiled/flow_block_topic_reply.handlebars.php
M handlebars/compiled/flow_block_topic_single_view.handlebars.php
M handlebars/compiled/flow_block_topiclist.handlebars.php
M handlebars/compiled/flow_block_topicsummary_edit.handlebars.php
M handlebars/compiled/flow_block_topicsummary_single_view.handlebars.php
M handlebars/compiled/flow_post.handlebars.php
M handlebars/compiled/flow_preview.handlebars.php
M handlebars/flow_block_header.handlebars
M handlebars/flow_block_header_single_view.handlebars
M handlebars/flow_block_topic_single_view.handlebars
M handlebars/flow_block_topicsummary_single_view.handlebars
M handlebars/flow_post.handlebars
M handlebars/flow_preview.handlebars
M handlebars/flow_topic.handlebars
M includes/Formatter/RevisionFormatter.php
M includes/TemplateHelper.php
M modules/new/components/flow-board.js
M modules/new/flow-handlebars.js
25 files changed, 110 insertions(+), 67 deletions(-)
Approvals:
Mattflaschen: Looks good to me, approved
jenkins-bot: Verified
diff --git a/handlebars/compiled/flow_block_header.handlebars.php
b/handlebars/compiled/flow_block_header.handlebars.php
index 641016c..4503ebf 100644
--- a/handlebars/compiled/flow_block_header.handlebars.php
+++ b/handlebars/compiled/flow_block_header.handlebars.php
@@ -7,7 +7,7 @@
'debug' => $debugopt,
),
'helpers' => Array( 'l10n' => 'Flow\TemplateHelper::l10n',
- 'html' => 'Flow\TemplateHelper::html',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array(),
@@ -18,7 +18,7 @@
return '<div class="flow-board-header">
<div class="flow-board-header-detail-view">
'.((LCRun3::ifvar($cx, ((is_array($in['revision']) &&
isset($in['revision']['content'])) ? $in['revision']['content'] : null))) ? '
- '.LCRun3::ch($cx, 'html',
Array(((is_array($in['revision']) && isset($in['revision']['content'])) ?
$in['revision']['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in['revision']) && isset($in['revision']['contentFormat'])) ?
$in['revision']['contentFormat'] : null),((is_array($in['revision']) &&
isset($in['revision']['content'])) ? $in['revision']['content'] : null)),
'encq').'
' : '
<p>'.LCRun3::ch($cx, 'l10n',
Array('flow-header-empty'), 'encq').'</p>
').'
diff --git a/handlebars/compiled/flow_block_header_edit.handlebars.php
b/handlebars/compiled/flow_block_header_edit.handlebars.php
index dc75942..c6e9343 100644
--- a/handlebars/compiled/flow_block_header_edit.handlebars.php
+++ b/handlebars/compiled/flow_block_header_edit.handlebars.php
@@ -7,7 +7,7 @@
'debug' => $debugopt,
),
'helpers' => Array( 'l10n' => 'Flow\TemplateHelper::l10n',
- 'html' => 'Flow\TemplateHelper::html',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array(),
@@ -35,10 +35,11 @@
' : '').'
'.((LCRun3::ifvar($cx, ((is_array($in) && isset($in['content'])) ?
$in['content'] : null))) ? '
<div class="flow-preview-sub-container">
- '.LCRun3::ch($cx, 'html', Array(((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['contentFormat'])) ? $in['contentFormat'] :
null),((is_array($in) && isset($in['content'])) ? $in['content'] : null)),
'encq').'
</div>
' : '').'
</div>
+
<input type="hidden" name="wpEditToken"
value="'.htmlentities(((is_array($cx['scopes'][0]) &&
isset($cx['scopes'][0]['editToken'])) ? $cx['scopes'][0]['editToken'] : null),
ENT_QUOTES, 'UTF-8').'" />
'.((LCRun3::ifvar($cx, ((is_array($in['revision']) &&
isset($in['revision']['revisionId'])) ? $in['revision']['revisionId'] : null)))
? '
<input type="hidden"
name="header_prev_revision" value="'.htmlentities(((is_array($in['revision'])
&& isset($in['revision']['revisionId'])) ? $in['revision']['revisionId'] :
null), ENT_QUOTES, 'UTF-8').'" />
diff --git a/handlebars/compiled/flow_block_header_single_view.handlebars.php
b/handlebars/compiled/flow_block_header_single_view.handlebars.php
index e0f749f..c3a3eae 100644
--- a/handlebars/compiled/flow_block_header_single_view.handlebars.php
+++ b/handlebars/compiled/flow_block_header_single_view.handlebars.php
@@ -6,8 +6,8 @@
'spvar' => true,
'debug' => $debugopt,
),
- 'helpers' => Array( 'html' => 'Flow\TemplateHelper::html',
- 'l10nParse' => 'Flow\TemplateHelper::l10nParse',
+ 'helpers' => Array( 'l10nParse' =>
'Flow\TemplateHelper::l10nParse',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array(),
@@ -22,7 +22,7 @@
'.LCRun3::ch($cx, 'l10nParse',
Array('flow-revision-permalink-warning-header-first',((is_array($in['revision'])
&& isset($in['revision']['human_timestamp'])) ?
$in['revision']['human_timestamp'] :
null),((is_array($in['revision']['rev_view_links']['hist']) &&
isset($in['revision']['rev_view_links']['hist']['url'])) ?
$in['revision']['rev_view_links']['hist']['url'] :
null),((is_array($in['revision']['rev_view_links']['diff']) &&
isset($in['revision']['rev_view_links']['diff']['url'])) ?
$in['revision']['rev_view_links']['diff']['url'] : null)), 'encq').'
').'
</div>
-'.LCRun3::ch($cx, 'html', Array(((is_array($in['revision']) &&
isset($in['revision']['content'])) ? $in['revision']['content'] : null)),
'encq').'
+'.LCRun3::ch($cx, 'escapeContent', Array(((is_array($in['revision']) &&
isset($in['revision']['contentFormat'])) ? $in['revision']['contentFormat'] :
null),((is_array($in['revision']) && isset($in['revision']['content'])) ?
$in['revision']['content'] : null)), 'encq').'
';
}
?>
\ No newline at end of file
diff --git a/handlebars/compiled/flow_block_topic.handlebars.php
b/handlebars/compiled/flow_block_topic.handlebars.php
index 650874c..82ae685 100644
--- a/handlebars/compiled/flow_block_topic.handlebars.php
+++ b/handlebars/compiled/flow_block_topic.handlebars.php
@@ -9,10 +9,10 @@
'helpers' => Array( 'l10n' => 'Flow\TemplateHelper::l10n',
'uuidTimestamp' => 'Flow\TemplateHelper::uuidTimestamp',
'timestamp' => 'Flow\TemplateHelper::timestamp',
- 'html' => 'Flow\TemplateHelper::html',
'post' => 'Flow\TemplateHelper::post',
'l10nParse' => 'Flow\TemplateHelper::l10nParse',
'linkWithReturnTo' => 'Flow\TemplateHelper::linkWithReturnTo',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array( 'eachPost' =>
'Flow\TemplateHelper::eachPost',
@@ -208,7 +208,7 @@
</div>
<div class="flow-topic-summary">
'.((LCRun3::ifvar($cx, ((is_array($in) &&
isset($in['summary'])) ? $in['summary'] : null))) ? '
- '.LCRun3::ch($cx, 'html', Array(((is_array($in)
&& isset($in['summary'])) ? $in['summary'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['summaryFormat'])) ? $in['summaryFormat'] :
null),((is_array($in) && isset($in['summary'])) ? $in['summary'] : null)),
'encq').'
' : '').'
</div>
</div>
@@ -230,10 +230,11 @@
' : '').'
'.((LCRun3::ifvar($cx, ((is_array($in) && isset($in['content'])) ?
$in['content'] : null))) ? '
<div class="flow-preview-sub-container">
- '.LCRun3::ch($cx, 'html', Array(((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['contentFormat'])) ? $in['contentFormat'] :
null),((is_array($in) && isset($in['content'])) ? $in['content'] : null)),
'encq').'
</div>
' : '').'
</div>
+
<input type="hidden" name="wpEditToken"
value="'.htmlentities(((is_array($cx['scopes'][0]) &&
isset($cx['scopes'][0]['editToken'])) ? $cx['scopes'][0]['editToken'] : null),
ENT_QUOTES, 'UTF-8').'" />
<input type="hidden" name="topic_replyTo"
value="'.htmlentities(((is_array($in) && isset($in['postId'])) ? $in['postId']
: null), ENT_QUOTES, 'UTF-8').'" />
'.LCRun3::hbch($cx, 'ifAnonymous', Array(), $in, function($cx,
$in) {return '
@@ -265,7 +266,6 @@
</form>
' : '').'
-
</div>
';}).'
@@ -274,4 +274,4 @@
</div>
';
}
-?>
+?>
\ No newline at end of file
diff --git a/handlebars/compiled/flow_block_topic_edit_post.handlebars.php
b/handlebars/compiled/flow_block_topic_edit_post.handlebars.php
index 7a83f6c..80f5246 100644
--- a/handlebars/compiled/flow_block_topic_edit_post.handlebars.php
+++ b/handlebars/compiled/flow_block_topic_edit_post.handlebars.php
@@ -7,9 +7,9 @@
'debug' => $debugopt,
),
'helpers' => Array( 'l10n' => 'Flow\TemplateHelper::l10n',
- 'html' => 'Flow\TemplateHelper::html',
'l10nParse' => 'Flow\TemplateHelper::l10nParse',
'linkWithReturnTo' => 'Flow\TemplateHelper::linkWithReturnTo',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array( 'eachPost' =>
'Flow\TemplateHelper::eachPost',
@@ -42,10 +42,11 @@
' : '').'
'.((LCRun3::ifvar($cx, ((is_array($in) && isset($in['content'])) ?
$in['content'] : null))) ? '
<div class="flow-preview-sub-container">
- '.LCRun3::ch($cx, 'html', Array(((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['contentFormat'])) ? $in['contentFormat'] :
null),((is_array($in) && isset($in['content'])) ? $in['content'] : null)),
'encq').'
</div>
' : '').'
</div>
+
<input type="hidden" name="wpEditToken"
value="'.htmlentities(((is_array($cx['scopes'][0]) &&
isset($cx['scopes'][0]['editToken'])) ? $cx['scopes'][0]['editToken'] : null),
ENT_QUOTES, 'UTF-8').'" />
<input type="hidden" name="topic_prev_revision"
value="'.htmlentities(((is_array($in) && isset($in['revisionId'])) ?
$in['revisionId'] : null), ENT_QUOTES, 'UTF-8').'" />
diff --git a/handlebars/compiled/flow_block_topic_moderate_post.handlebars.php
b/handlebars/compiled/flow_block_topic_moderate_post.handlebars.php
index 84d89c9..7fb7a57 100644
--- a/handlebars/compiled/flow_block_topic_moderate_post.handlebars.php
+++ b/handlebars/compiled/flow_block_topic_moderate_post.handlebars.php
@@ -8,10 +8,10 @@
),
'helpers' => Array( 'l10n' => 'Flow\TemplateHelper::l10n',
'uuidTimestamp' => 'Flow\TemplateHelper::uuidTimestamp',
- 'html' => 'Flow\TemplateHelper::html',
'post' => 'Flow\TemplateHelper::post',
'moderationAction' => 'Flow\TemplateHelper::moderationAction',
'moderationActionText' =>
'Flow\TemplateHelper::moderationActionText',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array( 'eachPost' =>
'Flow\TemplateHelper::eachPost',
@@ -54,7 +54,7 @@
<div>@Todo - Add css to toggle between "xxx is hidden
by xxx" and real post</div>
' : '').'
<div class="flow-post-content">
- '.LCRun3::ch($cx, 'html', Array(((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['contentFormat'])) ? $in['contentFormat'] :
null),((is_array($in) && isset($in['content'])) ? $in['content'] : null)),
'encq').'
</div>
<div class="flow-post-meta">
<span class="flow-post-meta-actions">
diff --git a/handlebars/compiled/flow_block_topic_moderate_topic.handlebars.php
b/handlebars/compiled/flow_block_topic_moderate_topic.handlebars.php
index 84d89c9..7fb7a57 100644
--- a/handlebars/compiled/flow_block_topic_moderate_topic.handlebars.php
+++ b/handlebars/compiled/flow_block_topic_moderate_topic.handlebars.php
@@ -8,10 +8,10 @@
),
'helpers' => Array( 'l10n' => 'Flow\TemplateHelper::l10n',
'uuidTimestamp' => 'Flow\TemplateHelper::uuidTimestamp',
- 'html' => 'Flow\TemplateHelper::html',
'post' => 'Flow\TemplateHelper::post',
'moderationAction' => 'Flow\TemplateHelper::moderationAction',
'moderationActionText' =>
'Flow\TemplateHelper::moderationActionText',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array( 'eachPost' =>
'Flow\TemplateHelper::eachPost',
@@ -54,7 +54,7 @@
<div>@Todo - Add css to toggle between "xxx is hidden
by xxx" and real post</div>
' : '').'
<div class="flow-post-content">
- '.LCRun3::ch($cx, 'html', Array(((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['contentFormat'])) ? $in['contentFormat'] :
null),((is_array($in) && isset($in['content'])) ? $in['content'] : null)),
'encq').'
</div>
<div class="flow-post-meta">
<span class="flow-post-meta-actions">
diff --git a/handlebars/compiled/flow_block_topic_reply.handlebars.php
b/handlebars/compiled/flow_block_topic_reply.handlebars.php
index 8ef0171..66824bd 100644
--- a/handlebars/compiled/flow_block_topic_reply.handlebars.php
+++ b/handlebars/compiled/flow_block_topic_reply.handlebars.php
@@ -7,7 +7,7 @@
'debug' => $debugopt,
),
'helpers' => Array( 'l10n' => 'Flow\TemplateHelper::l10n',
- 'html' => 'Flow\TemplateHelper::html',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array( 'eachPost' =>
'Flow\TemplateHelper::eachPost',
@@ -40,10 +40,11 @@
' : '').'
'.((LCRun3::ifvar($cx, ((is_array($in) && isset($in['content'])) ?
$in['content'] : null))) ? '
<div class="flow-preview-sub-container">
- '.LCRun3::ch($cx, 'html', Array(((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['contentFormat'])) ? $in['contentFormat'] :
null),((is_array($in) && isset($in['content'])) ? $in['content'] : null)),
'encq').'
</div>
' : '').'
</div>
+
<input type="hidden" name="wpEditToken"
value="'.htmlentities(((is_array($cx['scopes'][0]) &&
isset($cx['scopes'][0]['editToken'])) ? $cx['scopes'][0]['editToken'] : null),
ENT_QUOTES, 'UTF-8').'" />
<input type="hidden" name="topic_replyTo"
value="'.htmlentities(((is_array($in) && isset($in['postId'])) ? $in['postId']
: null), ENT_QUOTES, 'UTF-8').'" />
<textarea
id="flow-post-'.htmlentities(((is_array($in) && isset($in['postId'])) ?
$in['postId'] : null), ENT_QUOTES, 'UTF-8').'-form-content"
name="topic_content" class="mw-ui-input" type="text"
placeholder="'.LCRun3::ch($cx, 'l10n',
Array('flow-reply-topic-title-placeholder',((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'"
data-role="content">'.LCRun3::hbch($cx, 'ifEquals',
Array(((is_array($cx['scopes'][0]['submitted']) &&
isset($cx['scopes'][0]['submitted']['postId'])) ?
$cx['scopes'][0]['submitted']['postId'] : null),((is_array($in) &&
isset($in['postId'])) ? $in['postId'] : null)), $in, function($cx, $in) {return
'
@@ -60,4 +61,4 @@
</div>
';
}
-?>
+?>
\ No newline at end of file
diff --git a/handlebars/compiled/flow_block_topic_single_view.handlebars.php
b/handlebars/compiled/flow_block_topic_single_view.handlebars.php
index 2d08362..3fabb6c 100644
--- a/handlebars/compiled/flow_block_topic_single_view.handlebars.php
+++ b/handlebars/compiled/flow_block_topic_single_view.handlebars.php
@@ -6,8 +6,8 @@
'spvar' => true,
'debug' => $debugopt,
),
- 'helpers' => Array( 'html' => 'Flow\TemplateHelper::html',
- 'l10nParse' => 'Flow\TemplateHelper::l10nParse',
+ 'helpers' => Array( 'l10nParse' =>
'Flow\TemplateHelper::l10nParse',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array(),
@@ -22,15 +22,9 @@
'.LCRun3::ch($cx, 'l10nParse',
Array('flow-revision-permalink-warning-post-first',((is_array($in['revision'])
&& isset($in['revision']['human_timestamp'])) ?
$in['revision']['human_timestamp'] :
null),((is_array($in['revision']['rev_view_links']['board']) &&
isset($in['revision']['rev_view_links']['board']['title'])) ?
$in['revision']['rev_view_links']['board']['title'] :
null),((is_array($in['revision']['root']) &&
isset($in['revision']['root']['content'])) ? $in['revision']['root']['content']
: null),((is_array($in['revision']['rev_view_links']['hist']) &&
isset($in['revision']['rev_view_links']['hist']['url'])) ?
$in['revision']['rev_view_links']['hist']['url'] :
null),((is_array($in['revision']['rev_view_links']['diff']) &&
isset($in['revision']['rev_view_links']['diff']['url'])) ?
$in['revision']['rev_view_links']['diff']['url'] : null)), 'encq').'
').'
</div>
-'.((LCRun3::ifvar($cx, ((is_array($in['revision']) &&
isset($in['revision']['isTopicTitle'])) ? $in['revision']['isTopicTitle'] :
null))) ? '
- <div class="flow-topics">
- '.htmlentities(((is_array($in['revision']) &&
isset($in['revision']['content'])) ? $in['revision']['content'] : null),
ENT_QUOTES, 'UTF-8').'
- </div>
-' : '
- <div>
- '.LCRun3::ch($cx, 'html', Array(((is_array($in['revision']) &&
isset($in['revision']['content'])) ? $in['revision']['content'] : null)),
'encq').'
- </div>
-').'
+<div'.((LCRun3::ifvar($cx, ((is_array($in['revision']) &&
isset($in['revision']['isTopicTitle'])) ? $in['revision']['isTopicTitle'] :
null))) ? ' class="flow-topics"' : '').'>
+ '.LCRun3::ch($cx, 'escapeContent', Array(((is_array($in['revision']) &&
isset($in['revision']['contentFormat'])) ? $in['revision']['contentFormat'] :
null),((is_array($in['revision']) && isset($in['revision']['content'])) ?
$in['revision']['content'] : null)), 'encq').'
+</div>
';
diff --git a/handlebars/compiled/flow_block_topiclist.handlebars.php
b/handlebars/compiled/flow_block_topiclist.handlebars.php
index b534fa5..c4d85e8 100644
--- a/handlebars/compiled/flow_block_topiclist.handlebars.php
+++ b/handlebars/compiled/flow_block_topiclist.handlebars.php
@@ -9,11 +9,11 @@
'helpers' => Array( 'l10n' => 'Flow\TemplateHelper::l10n',
'uuidTimestamp' => 'Flow\TemplateHelper::uuidTimestamp',
'timestamp' => 'Flow\TemplateHelper::timestamp',
- 'html' => 'Flow\TemplateHelper::html',
'post' => 'Flow\TemplateHelper::post',
'progressiveEnhancement' =>
'Flow\TemplateHelper::progressiveEnhancement',
'l10nParse' => 'Flow\TemplateHelper::l10nParse',
'linkWithReturnTo' => 'Flow\TemplateHelper::linkWithReturnTo',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array( 'eachPost' =>
'Flow\TemplateHelper::eachPost',
@@ -73,10 +73,11 @@
' : '').'
'.((LCRun3::ifvar($cx, ((is_array($in) && isset($in['content'])) ?
$in['content'] : null))) ? '
<div class="flow-preview-sub-container">
- '.LCRun3::ch($cx, 'html', Array(((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['contentFormat'])) ? $in['contentFormat'] :
null),((is_array($in) && isset($in['content'])) ? $in['content'] : null)),
'encq').'
</div>
' : '').'
</div>
+
'.((LCRun3::ifvar($cx, ((is_array($in) && isset($in['errors']))
? $in['errors'] : null))) ? '
<ul>
'.LCRun3::sec($cx, ((is_array($in) &&
isset($in['errors'])) ? $in['errors'] : null), $in, true, function($cx, $in)
{return '
@@ -278,7 +279,7 @@
</div>
<div class="flow-topic-summary">
'.((LCRun3::ifvar($cx, ((is_array($in) &&
isset($in['summary'])) ? $in['summary'] : null))) ? '
- '.LCRun3::ch($cx, 'html', Array(((is_array($in)
&& isset($in['summary'])) ? $in['summary'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['summaryFormat'])) ? $in['summaryFormat'] :
null),((is_array($in) && isset($in['summary'])) ? $in['summary'] : null)),
'encq').'
' : '').'
</div>
</div>
@@ -300,10 +301,11 @@
' : '').'
'.((LCRun3::ifvar($cx, ((is_array($in) && isset($in['content'])) ?
$in['content'] : null))) ? '
<div class="flow-preview-sub-container">
- '.LCRun3::ch($cx, 'html', Array(((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['contentFormat'])) ? $in['contentFormat'] :
null),((is_array($in) && isset($in['content'])) ? $in['content'] : null)),
'encq').'
</div>
' : '').'
</div>
+
<input type="hidden" name="wpEditToken"
value="'.htmlentities(((is_array($cx['scopes'][0]) &&
isset($cx['scopes'][0]['editToken'])) ? $cx['scopes'][0]['editToken'] : null),
ENT_QUOTES, 'UTF-8').'" />
<input type="hidden" name="topic_replyTo"
value="'.htmlentities(((is_array($in) && isset($in['postId'])) ? $in['postId']
: null), ENT_QUOTES, 'UTF-8').'" />
'.LCRun3::hbch($cx, 'ifAnonymous', Array(), $in, function($cx,
$in) {return '
@@ -335,7 +337,6 @@
</form>
' : '').'
-
</div>
';}).'
@@ -353,4 +354,4 @@
</div>
';
}
-?>
+?>
\ No newline at end of file
diff --git a/handlebars/compiled/flow_block_topicsummary_edit.handlebars.php
b/handlebars/compiled/flow_block_topicsummary_edit.handlebars.php
index 0a9d86e..f857b72 100644
--- a/handlebars/compiled/flow_block_topicsummary_edit.handlebars.php
+++ b/handlebars/compiled/flow_block_topicsummary_edit.handlebars.php
@@ -7,7 +7,7 @@
'debug' => $debugopt,
),
'helpers' => Array( 'l10n' => 'Flow\TemplateHelper::l10n',
- 'html' => 'Flow\TemplateHelper::html',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array(),
@@ -34,17 +34,24 @@
' : '').'
'.((LCRun3::ifvar($cx, ((is_array($in) && isset($in['content'])) ?
$in['content'] : null))) ? '
<div class="flow-preview-sub-container">
- '.LCRun3::ch($cx, 'html', Array(((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['contentFormat'])) ? $in['contentFormat'] :
null),((is_array($in) && isset($in['content'])) ? $in['content'] : null)),
'encq').'
</div>
' : '').'
</div>
+
<input type="hidden" name="wpEditToken"
value="'.htmlentities(((is_array($in) && isset($in['editToken'])) ?
$in['editToken'] : null), ENT_QUOTES, 'UTF-8').'" />
'.((LCRun3::ifvar($cx, ((is_array($in['revision']) &&
isset($in['revision']['revisionId'])) ? $in['revision']['revisionId'] : null)))
? '
<input type="hidden"
name="'.htmlentities(((is_array($in) && isset($in['type'])) ? $in['type'] :
null), ENT_QUOTES, 'UTF-8').'_prev_revision"
value="'.htmlentities(((is_array($in['revision']) &&
isset($in['revision']['revisionId'])) ? $in['revision']['revisionId'] : null),
ENT_QUOTES, 'UTF-8').'" />
' : '').'
<textarea name="'.htmlentities(((is_array($in) &&
isset($in['type'])) ? $in['type'] : null), ENT_QUOTES, 'UTF-8').'_summary"
data-flow-expandable="true" class="mw-ui-input" type="text"
data-role="content">'.((LCRun3::ifvar($cx, ((is_array($in['submitted']) &&
isset($in['submitted']['summary'])) ? $in['submitted']['summary'] : null))) ?
''.htmlentities(((is_array($in['submitted']) &&
isset($in['submitted']['summary'])) ? $in['submitted']['summary'] : null),
ENT_QUOTES, 'UTF-8').'' : ''.((LCRun3::ifvar($cx, ((is_array($in['revision'])
&& isset($in['revision']['revisionId'])) ? $in['revision']['revisionId'] :
null))) ? ''.htmlentities(((is_array($in['revision']) &&
isset($in['revision']['content'])) ? $in['revision']['content'] : null),
ENT_QUOTES, 'UTF-8').'' : '').'').'</textarea>
<div class="flow-form-actions flow-form-collapsible">
- <button data-role="submit" class="flow-ui-button
flow-ui-constructive">'.LCRun3::ch($cx, 'l10n',
Array('flow-topic-action-summarize-topic'), 'encq').'</button>
+ <button
+ data-role="submit"
+ class="flow-ui-button flow-ui-constructive"
+ data-flow-interactive-handler="apiRequest"
+ data-flow-api-handler="summarizeTopic">
+ '.LCRun3::ch($cx, 'l10n',
Array('flow-topic-action-summarize-topic'), 'encq').'
+ </button>
<button data-role="action" class="flow-ui-button
flow-ui-progressive flow-ui-quiet" data-flow-api-handler="preview"
name="preview">
'.LCRun3::ch($cx, 'l10n',
Array('flow-preview'), 'encq').'
</button>
@@ -55,4 +62,4 @@
</div>
';
}
-?>
+?>
\ No newline at end of file
diff --git
a/handlebars/compiled/flow_block_topicsummary_single_view.handlebars.php
b/handlebars/compiled/flow_block_topicsummary_single_view.handlebars.php
index f642bc8..3830aa8 100644
--- a/handlebars/compiled/flow_block_topicsummary_single_view.handlebars.php
+++ b/handlebars/compiled/flow_block_topicsummary_single_view.handlebars.php
@@ -6,8 +6,8 @@
'spvar' => true,
'debug' => $debugopt,
),
- 'helpers' => Array( 'html' => 'Flow\TemplateHelper::html',
- 'l10nParse' => 'Flow\TemplateHelper::l10nParse',
+ 'helpers' => Array( 'l10nParse' =>
'Flow\TemplateHelper::l10nParse',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array(),
@@ -22,7 +22,7 @@
'.LCRun3::ch($cx, 'l10nParse',
Array('flow-revision-permalink-warning-postsummary-first',((is_array($in['evision'])
&& isset($in['evision']['human_timestamp'])) ?
$in['evision']['human_timestamp'] :
null),((is_array($in['revision']['rev_view_links']['board']) &&
isset($in['revision']['rev_view_links']['board']['title'])) ?
$in['revision']['rev_view_links']['board']['title'] :
null),((is_array($in['revision']['root']) &&
isset($in['revision']['root']['content'])) ? $in['revision']['root']['content']
: null),((is_array($in['revision']['rev_view_links']['hist']) &&
isset($in['revision']['rev_view_links']['hist']['url'])) ?
$in['revision']['rev_view_links']['hist']['url'] :
null),((is_array($in['revision']['rev_view_links']['diff']) &&
isset($in['revision']['rev_view_links']['diff']['url'])) ?
$in['revision']['rev_view_links']['diff']['url'] : null)), 'encq').'
').'
</div>
-'.LCRun3::ch($cx, 'html', Array(((is_array($in['revision']) &&
isset($in['revision']['content'])) ? $in['revision']['content'] : null)),
'encq').'
+'.LCRun3::ch($cx, 'escapeContent', Array(((is_array($in['revision']) &&
isset($in['revision']['contentFormat'])) ? $in['revision']['contentFormat'] :
null),((is_array($in['revision']) && isset($in['revision']['content'])) ?
$in['revision']['content'] : null)), 'encq').'
';
}
?>
\ No newline at end of file
diff --git a/handlebars/compiled/flow_post.handlebars.php
b/handlebars/compiled/flow_post.handlebars.php
index bc20f4f..572234e 100644
--- a/handlebars/compiled/flow_post.handlebars.php
+++ b/handlebars/compiled/flow_post.handlebars.php
@@ -8,8 +8,8 @@
),
'helpers' => Array( 'l10n' => 'Flow\TemplateHelper::l10n',
'uuidTimestamp' => 'Flow\TemplateHelper::uuidTimestamp',
- 'html' => 'Flow\TemplateHelper::html',
'post' => 'Flow\TemplateHelper::post',
+ 'escapeContent' => 'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array( 'eachPost' =>
'Flow\TemplateHelper::eachPost',
@@ -31,7 +31,7 @@
<div>@Todo - Add css to toggle between "xxx is hidden
by xxx" and real post</div>
' : '').'
<div class="flow-post-content">
- '.LCRun3::ch($cx, 'html', Array(((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['contentFormat'])) ? $in['contentFormat'] :
null),((is_array($in) && isset($in['content'])) ? $in['content'] : null)),
'encq').'
</div>
<div class="flow-post-meta">
<span class="flow-post-meta-actions">
diff --git a/handlebars/compiled/flow_preview.handlebars.php
b/handlebars/compiled/flow_preview.handlebars.php
index 0480479..bddfdff 100644
--- a/handlebars/compiled/flow_preview.handlebars.php
+++ b/handlebars/compiled/flow_preview.handlebars.php
@@ -6,7 +6,7 @@
'spvar' => true,
'debug' => $debugopt,
),
- 'helpers' => Array( 'html' => 'Flow\TemplateHelper::html',
+ 'helpers' => Array( 'escapeContent' =>
'Flow\TemplateHelper::escapeContent',
),
'blockhelpers' => Array(),
'hbhelpers' => Array(),
@@ -22,9 +22,10 @@
' : '').'
'.((LCRun3::ifvar($cx, ((is_array($in) && isset($in['content'])) ?
$in['content'] : null))) ? '
<div class="flow-preview-sub-container">
- '.LCRun3::ch($cx, 'html', Array(((is_array($in) &&
isset($in['content'])) ? $in['content'] : null)), 'encq').'
+ '.LCRun3::ch($cx, 'escapeContent',
Array(((is_array($in) && isset($in['contentFormat'])) ? $in['contentFormat'] :
null),((is_array($in) && isset($in['content'])) ? $in['content'] : null)),
'encq').'
</div>
' : '').'
-</div>';
+</div>
+';
}
?>
\ No newline at end of file
diff --git a/handlebars/flow_block_header.handlebars
b/handlebars/flow_block_header.handlebars
index 1039a54..1899192 100644
--- a/handlebars/flow_block_header.handlebars
+++ b/handlebars/flow_block_header.handlebars
@@ -1,7 +1,7 @@
<div class="flow-board-header">
<div class="flow-board-header-detail-view">
{{#if revision.content}}
- {{html revision.content}}
+ {{escapeContent revision.contentFormat
revision.content}}
{{else}}
<p>{{l10n "flow-header-empty"}}</p>
{{/if}}
diff --git a/handlebars/flow_block_header_single_view.handlebars
b/handlebars/flow_block_header_single_view.handlebars
index 98af089..32b3425 100644
--- a/handlebars/flow_block_header_single_view.handlebars
+++ b/handlebars/flow_block_header_single_view.handlebars
@@ -5,4 +5,4 @@
{{l10nParse "flow-revision-permalink-warning-header-first"
revision.human_timestamp revision.rev_view_links.hist.url
revision.rev_view_links.diff.url}}
{{/if}}
</div>
-{{html revision.content}}
+{{escapeContent revision.contentFormat revision.content}}
diff --git a/handlebars/flow_block_topic_single_view.handlebars
b/handlebars/flow_block_topic_single_view.handlebars
index fc86763..ba8cda7 100644
--- a/handlebars/flow_block_topic_single_view.handlebars
+++ b/handlebars/flow_block_topic_single_view.handlebars
@@ -5,14 +5,8 @@
{{l10nParse "flow-revision-permalink-warning-post-first"
revision.human_timestamp revision.rev_view_links.board.title
revision.root.content revision.rev_view_links.hist.url
revision.rev_view_links.diff.url}}
{{/if}}
</div>
-{{#if revision.isTopicTitle}}
- <div class="flow-topics">
- {{revision.content}}
- </div>
-{{else}}
- <div>
- {{html revision.content}}
- </div>
-{{/if}}
+<div{{#if revision.isTopicTitle}} class="flow-topics"{{/if}}>
+ {{escapeContent revision.contentFormat revision.content}}
+</div>
diff --git a/handlebars/flow_block_topicsummary_single_view.handlebars
b/handlebars/flow_block_topicsummary_single_view.handlebars
index 77698e1..2e9416e 100644
--- a/handlebars/flow_block_topicsummary_single_view.handlebars
+++ b/handlebars/flow_block_topicsummary_single_view.handlebars
@@ -5,4 +5,4 @@
{{l10nParse "flow-revision-permalink-warning-postsummary-first"
evision.human_timestamp revision.rev_view_links.board.title
revision.root.content revision.rev_view_links.hist.url
revision.rev_view_links.diff.url}}
{{/if}}
</div>
-{{html revision.content}}
+{{escapeContent revision.contentFormat revision.content}}
diff --git a/handlebars/flow_post.handlebars b/handlebars/flow_post.handlebars
index d26438a..1952bbf 100644
--- a/handlebars/flow_post.handlebars
+++ b/handlebars/flow_post.handlebars
@@ -11,7 +11,7 @@
<div>@Todo - Add css to toggle between "xxx is hidden
by xxx" and real post</div>
{{/if}}
<div class="flow-post-content">
- {{html content}}
+ {{escapeContent contentFormat content}}
</div>
<div class="flow-post-meta">
<span class="flow-post-meta-actions">
diff --git a/handlebars/flow_preview.handlebars
b/handlebars/flow_preview.handlebars
index fe94dcd..5462923 100644
--- a/handlebars/flow_preview.handlebars
+++ b/handlebars/flow_preview.handlebars
@@ -6,7 +6,7 @@
{{/if}}
{{#if content}}
<div class="flow-preview-sub-container">
- {{html content}}
+ {{escapeContent contentFormat content}}
</div>
{{/if}}
-</div>
\ No newline at end of file
+</div>
diff --git a/handlebars/flow_topic.handlebars b/handlebars/flow_topic.handlebars
index 2859e85..1a025e6 100644
--- a/handlebars/flow_topic.handlebars
+++ b/handlebars/flow_topic.handlebars
@@ -162,7 +162,7 @@
</div>
<div class="flow-topic-summary">
{{#if summary}}
- {{html summary}}
+ {{escapeContent summaryFormat summary}}
{{/if}}
</div>
</div>
diff --git a/includes/Formatter/RevisionFormatter.php
b/includes/Formatter/RevisionFormatter.php
index 0eb308e..ec53838 100644
--- a/includes/Formatter/RevisionFormatter.php
+++ b/includes/Formatter/RevisionFormatter.php
@@ -184,6 +184,7 @@
) {
// Maybe always have both parsed and unparsed versions
available
$res['summary'] = $this->templating->getContent(
$row->summary, $this->contentFormat );
+ $res['summaryFormat'] = $this->contentFormat;
$res['summaryRevId'] =
$row->summary->getRevisionId()->getAlphadecimal();
}
diff --git a/includes/TemplateHelper.php b/includes/TemplateHelper.php
index 3f2378a..f482948 100644
--- a/includes/TemplateHelper.php
+++ b/includes/TemplateHelper.php
@@ -129,6 +129,7 @@
'user' => 'Flow\TemplateHelper::user',
'addReturnTo' =>
'Flow\TemplateHelper::addReturnTo',
'linkWithReturnTo' =>
'Flow\TemplateHelper::linkWithReturnTo',
+ 'escapeContent' =>
'Flow\TemplateHelper::escapeContent',
),
'hbhelpers' => array(
'eachPost' =>
'Flow\TemplateHelper::eachPost',
@@ -704,4 +705,20 @@
return self::addReturnTo( $url );
}
+
+ /**
+ * Accepts the contentType and content properties returned from the api
+ * for individual revisions and ensures that content is included in the
+ * final html page in an xss safe maner.
+ *
+ * It is expected that all content with contentType of html has been
+ * processed by parsoid and is safe for direct output into the document.
+ *
+ * @param string $contentType
+ * @param string $content
+ * @return string
+ */
+ static public function escapeContent( $contentType, $content ) {
+ return $contentType === 'html' ? self::html( $content ) :
$content;
+ }
}
diff --git a/modules/new/components/flow-board.js
b/modules/new/components/flow-board.js
index 8e4972b..f7e2316 100644
--- a/modules/new/components/flow-board.js
+++ b/modules/new/components/flow-board.js
@@ -407,7 +407,8 @@
}
templateParams = {
- 'content' : data['flow-parsoid-utils'].content
+ content : data['flow-parsoid-utils'].content,
+ contentFormat: data['flow-parsoid-utils'].format
};
if ( $titleField.length ) {
diff --git a/modules/new/flow-handlebars.js b/modules/new/flow-handlebars.js
index b23c353..6dc01dd 100644
--- a/modules/new/flow-handlebars.js
+++ b/modules/new/flow-handlebars.js
@@ -708,6 +708,29 @@
};
/**
+ * Accepts the contentType and content properties returned from the api
+ * for individual revisions and ensures that content is included in the
+ * final html page in an XSS safe maner.
+ *
+ * It is expected that all content with contentType of html has been
+ * processed by parsoid and is safe for direct output into the document.
+ *
+ * Usage:
+ * {{escapeContent revision.contentType revision.content}}
+ *
+ * @param {string}
+ * @param {string}
+ * @return {string}
+ */
+ FlowHandlebars.prototype.escapeContent = function ( contentType,
content ) {
+ if ( contentType === 'html' ) {
+ return FlowHandlebars.prototype.html( content );
+ } else {
+ return content;
+ }
+ };
+
+ /**
* Outputs debugging information
*
* For development use only
@@ -736,5 +759,6 @@
Handlebars.registerHelper( 'ifAnonymous',
FlowHandlebars.prototype.ifAnonymous );
Handlebars.registerHelper( 'addReturnTo',
FlowHandlebars.prototype.addReturnTo );
Handlebars.registerHelper( 'linkWithReturnTo',
FlowHandlebars.prototype.linkWithReturnTo );
+ Handlebars.registerHelper( 'escapeContent',
FlowHandlebars.prototype.escapeContent );
Handlebars.registerHelper( 'debug', FlowHandlebars.prototype.debug );
}( jQuery ) );
--
To view, visit https://gerrit.wikimedia.org/r/140831
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: If82e1fa29da464707604646e1d1cfa220b49a5ba
Gerrit-PatchSet: 7
Gerrit-Project: mediawiki/extensions/Flow
Gerrit-Branch: frontend-rewrite
Gerrit-Owner: EBernhardson <[email protected]>
Gerrit-Reviewer: EBernhardson <[email protected]>
Gerrit-Reviewer: Mattflaschen <[email protected]>
Gerrit-Reviewer: SG <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
