jenkins-bot has submitted this change and it was merged.
Change subject: Test for HTML injection in TimeDetailsFormatter
......................................................................
Test for HTML injection in TimeDetailsFormatter
Change-Id: I32a96cb212365eaaac9c7cc5fdda23e7bcada87b
---
M lib/includes/formatters/TimeDetailsFormatter.php
M lib/tests/phpunit/formatters/TimeDetailsFormatterTest.php
2 files changed, 35 insertions(+), 3 deletions(-)
Approvals:
Daniel Kinzler: Looks good to me, approved
jenkins-bot: Verified
diff --git a/lib/includes/formatters/TimeDetailsFormatter.php
b/lib/includes/formatters/TimeDetailsFormatter.php
index 008fd25..3fec5a5 100644
--- a/lib/includes/formatters/TimeDetailsFormatter.php
+++ b/lib/includes/formatters/TimeDetailsFormatter.php
@@ -178,7 +178,7 @@
$lang = $this->getOption( ValueFormatter::OPT_LANG );
$msg = wfMessage( $key, $amount )->inLanguage( $lang );
- return $msg->text();
+ return htmlspecialchars( $msg->text() );
}
/**
@@ -192,7 +192,7 @@
$html .= Html::element( 'th', array( 'class' => 'wb-time-' .
$fieldName ),
$this->getFieldLabel( $fieldName )->text() );
- $html .= Html::element( 'td', array( 'class' => 'wb-time-' .
$fieldName ),
+ $html .= Html::rawElement( 'td', array( 'class' => 'wb-time-' .
$fieldName ),
$valueHtml );
$html .= Html::closeElement( 'tr' );
diff --git a/lib/tests/phpunit/formatters/TimeDetailsFormatterTest.php
b/lib/tests/phpunit/formatters/TimeDetailsFormatterTest.php
index d148440..30a5078 100644
--- a/lib/tests/phpunit/formatters/TimeDetailsFormatterTest.php
+++ b/lib/tests/phpunit/formatters/TimeDetailsFormatterTest.php
@@ -103,11 +103,43 @@
}
public function testFormatError() {
- $formatter = new TimeDetailsFormatter( new FormatterOptions() );
+ $formatter = new TimeDetailsFormatter();
$value = new NumberValue( 23 );
$this->setExpectedException( 'InvalidArgumentException' );
$formatter->format( $value );
}
+ public function
testGivenInvalidTimeValue_formatDoesNotAllowHtmlInjection() {
+ $formatter = new TimeDetailsFormatter();
+
+ $value = $this->getMockBuilder( 'DataValues\TimeValue' )
+ ->disableOriginalConstructor()
+ ->getMock();
+ $value->expects( $this->any() )
+ ->method( 'getTime' )
+ ->will( $this->returnValue( '<a>injection</a>' ) );
+ $value->expects( $this->any() )
+ ->method( 'getCalendarModel' )
+ ->will( $this->returnValue( '<a>injection</a>' ) );
+ $value->expects( $this->any() )
+ ->method( 'getBefore' )
+ ->will( $this->returnValue( '<a>injection</a>' ) );
+ $value->expects( $this->any() )
+ ->method( 'getAfter' )
+ ->will( $this->returnValue( '<a>injection</a>' ) );
+ $value->expects( $this->any() )
+ ->method( 'getPrecision' )
+ ->will( $this->returnValue( '<a>injection</a>' ) );
+ $value->expects( $this->any() )
+ ->method( 'getTimezone' )
+ ->will( $this->returnValue( '<a>injection</a>' ) );
+
+ $html = $formatter->format( $value );
+ $this->assertContains( 'injection', $html, 'Should be in the
output' );
+ $this->assertNotContains( '<a>', $html, 'Should not be
unescaped' );
+ $this->assertContains( '<', $html, 'Should be escaped' );
+ $this->assertNotContains( '&', $html, 'Should not be double
escape' );
+ }
+
}
--
To view, visit https://gerrit.wikimedia.org/r/192544
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I32a96cb212365eaaac9c7cc5fdda23e7bcada87b
Gerrit-PatchSet: 3
Gerrit-Project: mediawiki/extensions/Wikibase
Gerrit-Branch: master
Gerrit-Owner: Thiemo Mättig (WMDE) <[email protected]>
Gerrit-Reviewer: Daniel Kinzler <[email protected]>
Gerrit-Reviewer: Thiemo Mättig (WMDE) <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
