[MediaWiki-commits] [Gerrit] mediawiki/core[master]: mw.Message: Match behavior when key does not exist to PHP

[jenkins-bot (Code Review)]

jenkins-bot has submitted this change and it was merged.

Change subject: mw.Message: Match behavior when key does not exist to PHP
......................................................................


mw.Message: Match behavior when key does not exist to PHP

See 184658eb32f6c5561cd3789716bd98c1e9f0ba04.

Change-Id: I3dba16bcb137ca2f52203bce95f8c044870af3fd
---
M includes/Message.php
M resources/src/mediawiki/mediawiki.js
M tests/qunit/suites/resources/mediawiki/mediawiki.test.js
3 files changed, 12 insertions(+), 10 deletions(-)

Approvals:
  Jforrester: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/includes/Message.php b/includes/Message.php
index c1a12aa..3272aff 100644
--- a/includes/Message.php
+++ b/includes/Message.php
@@ -808,6 +808,7 @@
                        // message key is user-controlled.
                        // '⧼' is used instead of '<' to side-step any
                        // double-escaping issues.
+                       // (Keep synchronised with mw.Message#toString in JS.)
                        return '⧼' . htmlspecialchars( $this->key ) . '⧽';
                }
 
diff --git a/resources/src/mediawiki/mediawiki.js 
b/resources/src/mediawiki/mediawiki.js
index 9c8fe70..d525813 100644
--- a/resources/src/mediawiki/mediawiki.js
+++ b/resources/src/mediawiki/mediawiki.js
@@ -325,12 +325,15 @@
                        var text;
 
                        if ( !this.exists() ) {
-                               // Use <key> as text if key does not exist
-                               if ( this.format === 'escaped' || this.format 
=== 'parse' ) {
-                                       // format 'escaped' and 'parse' need to 
have the brackets and key html escaped
-                                       return mw.html.escape( '<' + this.key + 
'>' );
-                               }
-                               return '<' + this.key + '>';
+                               // Use ⧼key⧽ as text if key does not exist
+                               // Err on the side of safety, ensure that the 
output
+                               // is always html safe in the event the message 
key is
+                               // missing, since in that case its highly 
likely the
+                               // message key is user-controlled.
+                               // '⧼' is used instead of '<' to side-step any
+                               // double-escaping issues.
+                               // (Keep synchronised with Message::toString() 
in PHP.)
+                               return '⧼' + mw.html.escape( this.key ) + '⧽';
                        }
 
                        if ( this.format === 'plain' || this.format === 'text' 
|| this.format === 'parse' ) {
diff --git a/tests/qunit/suites/resources/mediawiki/mediawiki.test.js 
b/tests/qunit/suites/resources/mediawiki/mediawiki.test.js
index 1518a80..6ee4901 100644
--- a/tests/qunit/suites/resources/mediawiki/mediawiki.test.js
+++ b/tests/qunit/suites/resources/mediawiki/mediawiki.test.js
@@ -239,9 +239,7 @@
                goodbye = mw.message( 'goodbye' );
                assert.strictEqual( goodbye.exists(), false, 'Message.exists 
returns false for nonexistent messages' );
 
-               assertMultipleFormats( [ 'goodbye' ], [ 'plain', 'text' ], 
'<goodbye>', 'Message.toString returns <key> if key does not exist' );
-               // bug 30684
-               assertMultipleFormats( [ 'goodbye' ], [ 'parse', 'escaped' ], 
'&lt;goodbye&gt;', 'Message.toString returns properly escaped &lt;key&gt; if 
key does not exist' );
+               assertMultipleFormats( [ 'good<>bye' ], [ 'plain', 'text', 
'parse', 'escaped' ], '⧼good&lt;&gt;bye⧽', 'Message.toString returns ⧽key⧽ if 
key does not exist' );
 
                assert.ok( mw.messages.set( 'plural-test-msg', 'There 
{{PLURAL:$1|is|are}} $1 {{PLURAL:$1|result|results}}' ), 'mw.messages.set: 
Register' );
                assertMultipleFormats( [ 'plural-test-msg', 6 ], [ 'text', 
'parse', 'escaped' ], 'There are 6 results', 'plural get resolved' );
@@ -320,7 +318,7 @@
        QUnit.test( 'mw.msg', 14, function ( assert ) {
                assert.ok( mw.messages.set( 'hello', 'Hello <b>awesome</b> 
world' ), 'mw.messages.set: Register' );
                assert.equal( mw.msg( 'hello' ), 'Hello <b>awesome</b> world', 
'Gets message with default options (existing message)' );
-               assert.equal( mw.msg( 'goodbye' ), '<goodbye>', 'Gets message 
with default options (nonexistent message)' );
+               assert.equal( mw.msg( 'goodbye' ), '⧼goodbye⧽', 'Gets message 
with default options (nonexistent message)' );
 
                assert.ok( mw.messages.set( 'plural-item', 'Found $1 
{{PLURAL:$1|item|items}}' ), 'mw.messages.set: Register' );
                assert.equal( mw.msg( 'plural-item', 5 ), 'Found 5 items', 
'Apply plural for count 5' );

-- 
To view, visit https://gerrit.wikimedia.org/r/321378
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I3dba16bcb137ca2f52203bce95f8c044870af3fd
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Bartosz Dziewoński <matma....@gmail.com>
Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: Jack Phoenix <j...@countervandalism.net>
Gerrit-Reviewer: Jforrester <jforres...@wikimedia.org>
Gerrit-Reviewer: Krinkle <krinklem...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits