Glaisher has uploaded a new change for review.
https://gerrit.wikimedia.org/r/248361
Change subject: Do escaping before output on Newsletter special pages
......................................................................
Do escaping before output on Newsletter special pages
Bug: T116382
Change-Id: I7be05662b2da9aa0ef348835393c353147cc4c54
---
M includes/specials/SpecialNewsletter.php
M includes/specials/pagers/NewsletterManageTablePager.php
M includes/specials/pagers/NewsletterTablePager.php
3 files changed, 17 insertions(+), 16 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Newsletter
refs/changes/61/248361/1
diff --git a/includes/specials/SpecialNewsletter.php
b/includes/specials/SpecialNewsletter.php
index d9072ba..d016884 100644
--- a/includes/specials/SpecialNewsletter.php
+++ b/includes/specials/SpecialNewsletter.php
@@ -43,7 +43,7 @@
list( $id, $action ) = $params;
$out = $this->getOutput();
- $this->newsletter = Newsletter::newFromID( (int)$id );
+ $this->newsletter = Newsletter::newFromID( $id );
if ( $this->newsletter ) {
@@ -122,8 +122,9 @@
'mainpage' => array(
'type' => 'info',
'label-message' =>
'newsletter-view-mainpage',
- 'default' => Linker::link( $mainTitle,
$mainTitle->getPrefixedText() ) . ' ' .
- $this->msg( 'parentheses'
)->rawParams(
+ 'default' => Linker::link( $mainTitle,
htmlspecialchars( $mainTitle->getPrefixedText() ) )
+ . ' '
+ . $this->msg( 'parentheses'
)->rawParams(
Linker::link(
$mainTitle, 'hist', array(), array( 'action' => 'history' ) )
)->escaped(),
'raw' => true,
diff --git a/includes/specials/pagers/NewsletterManageTablePager.php
b/includes/specials/pagers/NewsletterManageTablePager.php
index 69169f8..152d9fe 100644
--- a/includes/specials/pagers/NewsletterManageTablePager.php
+++ b/includes/specials/pagers/NewsletterManageTablePager.php
@@ -26,10 +26,10 @@
public function getFieldNames() {
if ( $this->fieldNames === null ) {
$this->fieldNames = array(
- 'nl_id' => $this->msg(
'newsletter-manage-header-name' )->text(),
- 'nlp_publisher_id' => $this->msg(
'newsletter-manage-header-publisher' )->text(),
- 'permissions' => $this->msg(
'newsletter-manage-header-permissions' )->text(),
- 'action' => $this->msg(
'newsletter-manage-header-action' )->text(),
+ 'nl_id' => $this->msg(
'newsletter-manage-header-name' )->escaped(),
+ 'nlp_publisher_id' => $this->msg(
'newsletter-manage-header-publisher' )->escaped(),
+ 'permissions' => $this->msg(
'newsletter-manage-header-permissions' )->escaped(),
+ 'action' => $this->msg(
'newsletter-manage-header-action' )->escaped(),
);
}
return $this->fieldNames;
@@ -71,7 +71,7 @@
}
case 'nlp_publisher_id':
- return User::newFromId( $value )->getName();
+ return htmlspecialchars( User::newFromId(
$value )->getName() );
case 'permissions' :
return HTML::element(
@@ -82,7 +82,7 @@
'id' =>
'newslettermanage',
'checked' =>
$isPublisher ? true : false,
)
- ) . $this->msg(
'newsletter-publisher-radiobutton-label' )->text();
+ ) . $this->msg(
'newsletter-publisher-radiobutton-label' )->escaped();
case 'action':
if ( $isPublisher ) {
diff --git a/includes/specials/pagers/NewsletterTablePager.php
b/includes/specials/pagers/NewsletterTablePager.php
index 2b3a315..f359b71 100644
--- a/includes/specials/pagers/NewsletterTablePager.php
+++ b/includes/specials/pagers/NewsletterTablePager.php
@@ -22,15 +22,15 @@
public function getFieldNames() {
if ( $this->fieldNames === null ) {
$this->fieldNames = array(
- 'nl_name' => $this->msg(
'newsletter-header-name' )->text(),
- 'nl_desc' => $this->msg(
'newsletter-header-description' )->text(),
- 'nl_frequency' => $this->msg (
'newsletter-header-frequency' )->text(),
- 'subscriber_count' => $this->msg(
'newsletter-header-subscriber_count' )->text(),
+ 'nl_name' => $this->msg(
'newsletter-header-name' )->escaped(),
+ 'nl_desc' => $this->msg(
'newsletter-header-description' )->escaped(),
+ 'nl_frequency' => $this->msg (
'newsletter-header-frequency' )->escaped(),
+ 'subscriber_count' => $this->msg(
'newsletter-header-subscriber_count' )->escaped(),
);
if ( $this->getUser()->isLoggedIn() ) {
// Only logged-in users can (un)subscribe
- $this->fieldNames['action'] = $this->msg(
'newsletter-header-action' )->text();
+ $this->fieldNames['action'] = $this->msg(
'newsletter-header-action' )->escaped();
}
}
@@ -70,9 +70,9 @@
return htmlspecialchars( $value );
}
case 'nl_desc':
- return $value;
+ return htmlspecialchars( $value );
case 'nl_frequency':
- return $value;
+ return htmlspecialchars( $value );
case 'subscriber_count':
// @todo Make this prettier
return HTML::element(
--
To view, visit https://gerrit.wikimedia.org/r/248361
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7be05662b2da9aa0ef348835393c353147cc4c54
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Newsletter
Gerrit-Branch: master
Gerrit-Owner: Glaisher <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
