Bartosz Dziewoński has uploaded a new change for review.
https://gerrit.wikimedia.org/r/321378
Change subject: mw.Message: Match behavior when key does not exist to PHP
......................................................................
mw.Message: Match behavior when key does not exist to PHP
See 184658eb32f6c5561cd3789716bd98c1e9f0ba04.
Change-Id: I3dba16bcb137ca2f52203bce95f8c044870af3fd
---
M includes/Message.php
M resources/src/mediawiki/mediawiki.js
M tests/qunit/suites/resources/mediawiki/mediawiki.test.js
3 files changed, 11 insertions(+), 9 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/78/321378/1
diff --git a/includes/Message.php b/includes/Message.php
index c1a12aa..3272aff 100644
--- a/includes/Message.php
+++ b/includes/Message.php
@@ -808,6 +808,7 @@
// message key is user-controlled.
// '⧼' is used instead of '<' to side-step any
// double-escaping issues.
+ // (Keep synchronised with mw.Message#toString in JS.)
return '⧼' . htmlspecialchars( $this->key ) . '⧽';
}
diff --git a/resources/src/mediawiki/mediawiki.js
b/resources/src/mediawiki/mediawiki.js
index 9c8fe70..d525813 100644
--- a/resources/src/mediawiki/mediawiki.js
+++ b/resources/src/mediawiki/mediawiki.js
@@ -325,12 +325,15 @@
var text;
if ( !this.exists() ) {
- // Use <key> as text if key does not exist
- if ( this.format === 'escaped' || this.format
=== 'parse' ) {
- // format 'escaped' and 'parse' need to
have the brackets and key html escaped
- return mw.html.escape( '<' + this.key +
'>' );
- }
- return '<' + this.key + '>';
+ // Use ⧼key⧽ as text if key does not exist
+ // Err on the side of safety, ensure that the
output
+ // is always html safe in the event the message
key is
+ // missing, since in that case its highly
likely the
+ // message key is user-controlled.
+ // '⧼' is used instead of '<' to side-step any
+ // double-escaping issues.
+ // (Keep synchronised with Message::toString()
in PHP.)
+ return '⧼' + mw.html.escape( this.key ) + '⧽';
}
if ( this.format === 'plain' || this.format === 'text'
|| this.format === 'parse' ) {
diff --git a/tests/qunit/suites/resources/mediawiki/mediawiki.test.js
b/tests/qunit/suites/resources/mediawiki/mediawiki.test.js
index 1518a80..1a1f5e2 100644
--- a/tests/qunit/suites/resources/mediawiki/mediawiki.test.js
+++ b/tests/qunit/suites/resources/mediawiki/mediawiki.test.js
@@ -239,9 +239,7 @@
goodbye = mw.message( 'goodbye' );
assert.strictEqual( goodbye.exists(), false, 'Message.exists
returns false for nonexistent messages' );
- assertMultipleFormats( [ 'goodbye' ], [ 'plain', 'text' ],
'<goodbye>', 'Message.toString returns <key> if key does not exist' );
- // bug 30684
- assertMultipleFormats( [ 'goodbye' ], [ 'parse', 'escaped' ],
'<goodbye>', 'Message.toString returns properly escaped <key> if
key does not exist' );
+ assertMultipleFormats( [ 'good<>bye' ], [ 'plain', 'text',
'parse', 'escaped' ], '⧼good<>bye⧽', 'Message.toString returns ⧽key⧽ if
key does not exist' );
assert.ok( mw.messages.set( 'plural-test-msg', 'There
{{PLURAL:$1|is|are}} $1 {{PLURAL:$1|result|results}}' ), 'mw.messages.set:
Register' );
assertMultipleFormats( [ 'plural-test-msg', 6 ], [ 'text',
'parse', 'escaped' ], 'There are 6 results', 'plural get resolved' );
--
To view, visit https://gerrit.wikimedia.org/r/321378
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3dba16bcb137ca2f52203bce95f8c044870af3fd
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Bartosz Dziewoński <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
