jenkins-bot has submitted this change and it was merged.
Change subject: Escape unescaped messages in Special:AdminLinks
......................................................................
Escape unescaped messages in Special:AdminLinks
ALSection has been changed to escape the section name.
ALItem now always escapes the $desc/$label, as Linker::link() doesn't
escape the description/html.
Fixed a few instances where wfMessage had no specified output mode.
Bug: T85864
Change-Id: Ifd697a0bd75643266c707a9e2181e72c82f478bf
---
M AdminLinks_body.php
1 file changed, 17 insertions(+), 7 deletions(-)
Approvals:
Nikerabbit: Looks good to me, approved
jenkins-bot: Verified
diff --git a/AdminLinks_body.php b/AdminLinks_body.php
index 1a45938..d70f286 100644
--- a/AdminLinks_body.php
+++ b/AdminLinks_body.php
@@ -28,8 +28,14 @@
'Sidebar',
$this->msg( 'adminlinks_editsidebar' )->text()
) );
- $main_row->addItem( ALItem::newFromEditLink( 'Common.css',
$this->msg( 'adminlinks_editcss' ) ) );
- $main_row->addItem( ALItem::newFromEditLink( 'Mainpage',
$this->msg( 'adminlinks_editmainpagename' ) ) );
+ $main_row->addItem( ALItem::newFromEditLink(
+ 'Common.css',
+ $this->msg( 'adminlinks_editcss' )->text()
+ ) );
+ $main_row->addItem( ALItem::newFromEditLink(
+ 'Mainpage',
+ $this->msg( 'adminlinks_editmainpagename' )->text()
+ ) );
$general_section->addRow( $main_row );
$tree->addSection( $general_section );
@@ -199,7 +205,8 @@
}
function toString() {
- $text = ' <h2 class="mw-specialpagesgroup">' .
$this->header . "</h2>\n";
+ $text = ' <h2 class="mw-specialpagesgroup">' .
+ htmlspecialchars( $this->header ) . "</h2>\n";
foreach ( $this->rows as $row ) {
$text .= $row->toString();
}
@@ -262,7 +269,8 @@
} else {
$title = Title::newFromText( $page_name_or_title );
}
- $item->text = Linker::linkKnown( $title, $desc, array(), $query
);
+ $item->text = Linker::linkKnown( $title, htmlspecialchars(
$desc ),
+ array(), $query );
return $item;
}
@@ -270,7 +278,8 @@
$item = new ALItem();
$item->label = $page_name;
$page = SpecialPageFactory::getPage( $page_name );
- $item->text = Linker::linkKnown( $page->getTitle(),
$page->getDescription() );
+ $item->text = Linker::linkKnown( $page->getTitle(),
+ htmlspecialchars( $page->getDescription() ) );
return $item;
}
@@ -279,14 +288,15 @@
$item->label = $page_name;
$title = Title::makeTitleSafe( NS_MEDIAWIKI, $page_name );
$edit_link = $title->getFullURL( 'action=edit' );
- $item->text = "<a href=\"$edit_link\">$desc</a>";
+ $item->text = "<a href=\"$edit_link\">" . htmlspecialchars(
$desc ) . "</a>";
return $item;
}
static function newFromExternalLink( $url, $label ) {
$item = new ALItem();
$item->label = $label;
- $item->text = "<a class=\"external text\" rel=\"nofollow\"
href=\"$url\">$label</a>";
+ $item->text = "<a class=\"external text\" rel=\"nofollow\"
href=\"" .
+ Sanitizer::encodeAttribute( $url ) . "\">" .
htmlspecialchars( $label ) . "</a>";
return $item;
}
}
--
To view, visit https://gerrit.wikimedia.org/r/184211
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ifd697a0bd75643266c707a9e2181e72c82f478bf
Gerrit-PatchSet: 3
Gerrit-Project: mediawiki/extensions/AdminLinks
Gerrit-Branch: master
Gerrit-Owner: Unicodesnowman <[email protected]>
Gerrit-Reviewer: Legoktm <[email protected]>
Gerrit-Reviewer: Nemo bis <[email protected]>
Gerrit-Reviewer: Nikerabbit <[email protected]>
Gerrit-Reviewer: Yaron Koren <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
