[MediaWiki-commits] [Gerrit] Require post with edit token if $wgRawHtml is set - change (mediawiki...TemplateSandbox)

[jenkins-bot (Code Review)]

jenkins-bot has submitted this change and it was merged.

Change subject: Require post with edit token if $wgRawHtml is set
......................................................................


Require post with edit token if $wgRawHtml is set

Bug: T76195
Manually cherry picked from: Idc6b25689fdaa4640395b9d6e10daa011dea25f9

Change-Id: I7c9220f8777ea7f9079fdc5c3404c3ede748fe09
---
M .gitreview
M SpecialTemplateSandbox.php
M TemplateSandbox.i18n.php
3 files changed, 27 insertions(+), 10 deletions(-)

Approvals:
  MarkAHershberger: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/.gitreview b/.gitreview
index 6d9b888..aca003d 100644
--- a/.gitreview
+++ b/.gitreview
@@ -2,4 +2,4 @@
 host=gerrit.wikimedia.org
 port=29418
 project=mediawiki/extensions/TemplateSandbox.git
-defaultbranch=master
+defaultbranch=REL1_22
diff --git a/SpecialTemplateSandbox.php b/SpecialTemplateSandbox.php
index 5be21a4..61ff1cd 100644
--- a/SpecialTemplateSandbox.php
+++ b/SpecialTemplateSandbox.php
@@ -23,10 +23,12 @@
        }
 
        function execute( $par ) {
+               global $wgRawHtml;
                $this->setHeaders();
                $this->checkPermissions();
 
                $request = $this->getRequest();
+               $requirePost = $wgRawHtml;
 
                if ( $par !== null && !$request->getCheck( 'page' ) ) {
                        $request->setVal( 'page', $par );
@@ -66,7 +68,7 @@
                                'rows' => 5,
                        ),
                ), $this->getContext() );
-               $form->setMethod( 'get' );
+               $form->setMethod( $requirePost ? 'post' : 'get' );
                $form->setSubmitCallback( array( $this, 'onSubmit' ) );
                $form->setWrapperLegend( $this->msg( 'templatesandbox-legend' ) 
);
                $form->addHeaderText( $this->msg( 'templatesandbox-text' 
)->parseAsBlock() );
@@ -74,12 +76,23 @@
 
                $form->prepareForm();
                if ( $request->getCheck( 'page' ) || $request->getCheck( 
'revid' ) ) {
-                       $form->displayForm( $form->trySubmit() );
+                       $form->displayForm( $form->tryAuthorizedSubmit() );
                } else {
                        $form->displayForm( false );
                }
 
-               if ( $this->output !== null ) {
+               $error = false;
+               if ( $requirePost && $this->getRequest()->wasPosted() ) {
+                       $user = $this->getUser();
+                       if ( $user->isAnon() && !$user->isAllowed( 'edit' ) ) {
+                               $error = 'templatesandbox-fail-post-anon';
+                       } elseif ( !$user->matchEditToken( $request->getVal( 
'wpEditToken' ), '', $request ) ) {
+                               $error = 'templatesandbox-fail-post';
+                       }
+               }
+               if ( $error !== false ) {
+                       $this->getOutput()->wrapWikiMsg( "<div 
class='previewnote'>\n$1\n</div>", $error );
+               } elseif ( $this->output !== null ) {
                        $output = $this->getOutput();
 
                        if ( $this->redirectChain ) {
@@ -164,7 +177,7 @@
        /**
         * @param $data array
         * @param $form
-        * @return bool|String
+        * @return Status
         */
        public function onSubmit( $data, $form ) {
                if ( $data['revid'] !== '' && $data['revid'] !== null ) {
@@ -174,7 +187,7 @@
                        $title = Title::newFromText( $data['page'] );
                        $rev = Revision::newFromTitle( $title );
                } else {
-                       return $this->msg( 'templatesandbox-page-or-revid' 
)->parseAsBlock();
+                       return Status::newFatal( 
'templatesandbox-page-or-revid' );
                }
 
                wfProfileIn( __METHOD__ );
@@ -196,7 +209,7 @@
 
                wfProfileOut( __METHOD__ );
 
-               return false;
+               return Status::newGood();
        }
 
        /**
diff --git a/TemplateSandbox.i18n.php b/TemplateSandbox.i18n.php
index 03289ea..d47d042 100644
--- a/TemplateSandbox.i18n.php
+++ b/TemplateSandbox.i18n.php
@@ -40,6 +40,8 @@
        'templatesandbox-invalid-prefix' => 'The sandbox prefix you specified 
is invalid.',
        'templatesandbox-prefix-not-local' => 'The sandbox prefix you specified 
is not local.',
        'templatesandbox-page-or-revid' => 'You must enter either a page title 
or a revision ID number.',
+    'templatesandbox-fail-post' => '<em>Because {{SITENAME}} has raw HTML 
enabled and there was a loss of session data, the preview is hidden as a 
precaution against JavaScript attacks.</em>\n\n<strong>If this is a legitimate 
preview attempt, please try again.</strong>\nIf it still does not work, try 
[[Special:UserLogout|logging out]] and logging back in.',
+    'templatesandbox-fail-post-anon' => '<em>Because {{SITENAME}} has raw HTML 
enabled and you are not logged in, the preview is hidden as a precaution 
against JavaScript attacks.</em>\n\n<strong>If this is a legitimate preview 
attempt, please [[Special:UserLogin|log in]] and try again.</strong>',
 
        'templatesandbox-editform-need-template' => 'To preview another page 
with this template, a template name must be specified.',
        'templatesandbox-editform-need-title' => 'To preview another page with 
this template, a page title must be specified.',
@@ -93,6 +95,8 @@
        'templatesandbox-invalid-prefix' => 'Error message displayed when the 
sandbox prefix specified in the special page is invalid.',
        'templatesandbox-prefix-not-local' => 'Error message displayed when the 
sandbox prefix specified in the special page is not local.',
        'templatesandbox-page-or-revid' => 'Error message displayed when 
neither a page title nor rev_id is given in the special page.',
+       'templatesandbox-fail-post' => 'Error message displayed when attempting 
to use Special:TemplateSandbox with an invalid edit token on a wiki with 
$wgRawHtml true.\n\nSee also:\n* {{msg-mw|expand_templates_preview_fail_html}}',
+       'templatesandbox-fail-post-anon' => 'Error message displayed when 
attempting to use Special:TemplateSandbox as an anon on a wiki with $wgRawHtml 
true and anon editing disabled.\n\nSee also:\n* 
{{msg-mw|expand_templates_preview_fail_html_anon}}',
        'templatesandbox-editform-need-template' => 'Error message displayed 
when no template name is given for the editpage form.
 
 See also:
@@ -114,7 +118,7 @@
        'templatesandbox-desc' => "[[Special:TemplateSandbox|Vertoon 'n 
bladsy]] met sjablone vanaf 'n sandput af",
        'templatesandbox-suffix' => 'sandput',
        'templatesandbox-legend' => 'Sjabloonsandput',
-       'templatesandbox-text' => 'U kan \'n versameling sjablone wat in u 
sandput gestoor is kies deur van \'n voorvoegsel gebruik te maak. 
+       'templatesandbox-text' => 'U kan \'n versameling sjablone wat in u 
sandput gestoor is kies deur van \'n voorvoegsel gebruik te maak.
 As u byvoorbeeld \'n voorskou wil sien van {{ns:Template}}:Toets wat u gestoor 
het as "{{ns:User}}:Gebruikersnaam/sandput/{{ns:Template}}:Toets", gebruik dan 
"{{ns:User}}:Gebruikersnaam/sandput" as die voorvoegsel.',
        'templatesandbox-prefix-label' => 'Voorvoegsel vir sandput:',
        'templatesandbox-page-label' => 'Vertoon bladsy:',
@@ -268,7 +272,7 @@
        'templatesandbox-desc' => '[[Special:TemplateSandbox|Mostra una 
pàgina]] utilitzant plantilles de proves',
        'templatesandbox-suffix' => 'proves',
        'templatesandbox-legend' => 'Proves de plantilles',
-       'templatesandbox-text' => "Podeu triar un conjunt de plantilles desades 
en el vostre espai de proves mitjançant l'ús d'un prefix de proves apropiat. 
+       'templatesandbox-text' => "Podeu triar un conjunt de plantilles desades 
en el vostre espai de proves mitjançant l'ús d'un prefix de proves apropiat.
 Per exemple, si voleu previsualitzar una versió de {{ns:Template}}:Test que 
heu desat a 
«{{ns:User}}:Exemple/{{int:templatesandbox-suffix}}/{{ns:Template}}:Test», 
utilitzeu «{{ns:User}}:Exemple/{{int:templatesandbox-suffix}}» com a prefix.",
        'templatesandbox-prefix-label' => 'Prefix de proves:',
        'templatesandbox-page-label' => 'Pàgina a generar:',
@@ -497,7 +501,7 @@
        'templatesandbox-editform-page-label' => 'Titolo de la paĝo:',
        'templatesandbox-editform-view-label' => 'Montri antaŭrigardon',
        'templatesandbox-preview' => 'Antaŭvido de $2',
-       'templatesandbox-previewnote' => "'''Memoru, ke ĉi tio estas nur 
antaŭrigardo de [[:$1]].''' 
+       'templatesandbox-previewnote' => "'''Memoru, ke ĉi tio estas nur 
antaŭrigardo de [[:$1]].'''
 Viaj ŝanĝoj ne ankoraŭ estas konservitaj!",
        'templatesandbox-invalid-title' => 'La titolo kiun vi enmetis estas 
malvalida.',
        'templatesandbox-title-not-exists' => 'La titolo kiun vi menciis ne 
ekzistas.',

-- 
To view, visit https://gerrit.wikimedia.org/r/180787
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I7c9220f8777ea7f9079fdc5c3404c3ede748fe09
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/TemplateSandbox
Gerrit-Branch: REL1_22
Gerrit-Owner: MarkAHershberger <m...@nichework.com>
Gerrit-Reviewer: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: Jackmcbarn <jackmcb...@gmail.com>
Gerrit-Reviewer: MarkAHershberger <m...@nichework.com>
Gerrit-Reviewer: Siebrand <siebr...@kitano.nl>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits