Awight has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/342047 )
Change subject: Stop prematurely escaping ...................................................................... Stop prematurely escaping Escaping should be done before HTML display, not as pseduo-sanitization. Change-Id: Ifefc3f5990992730098dede918ccee269cad0194 --- M astropay_gateway/astropay.adapter.php M gateway_common/DonationData.php M gateway_common/gateway.adapter.php M tests/phpunit/Adapter/GlobalCollect/GlobalCollectTest.php 4 files changed, 16 insertions(+), 33 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/DonationInterface refs/changes/47/342047/1 diff --git a/astropay_gateway/astropay.adapter.php b/astropay_gateway/astropay.adapter.php index 6e042fd..950f5b4 100644 --- a/astropay_gateway/astropay.adapter.php +++ b/astropay_gateway/astropay.adapter.php @@ -359,8 +359,8 @@ } else if ( preg_match( '/param x_cpf$/i', $response['desc'] ) ) { // Something wrong with the fiscal number $context = 'fiscal_number'; - $language = $this->dataObj->getVal_Escaped( 'language' ); - $country = $this->dataObj->getVal_Escaped( 'country' ); + $language = $this->dataObj->getVal( 'language' ); + $country = $this->dataObj->getVal( 'country' ); $message = DataValidator::getErrorMessage( 'fiscal_number', 'calculated', $language, $country ); } else if ( preg_match( '/invalid control/i', $response['desc'] ) ) { // They think we screwed up the signature. Log what we signed. diff --git a/gateway_common/DonationData.php b/gateway_common/DonationData.php index 07c6d43..26088eb 100644 --- a/gateway_common/DonationData.php +++ b/gateway_common/DonationData.php @@ -201,13 +201,12 @@ } /** - * Returns an array of normalized and escaped donation data + * Returns the array of all normalized donation data. + * * @return array */ - public function getDataEscaped() { - $escaped = $this->normalized; - array_walk( $escaped, array( $this, 'sanitizeInput' ) ); - return $escaped; + public function getData() { + return $this->normalized; } /** @@ -229,30 +228,14 @@ } /** - * getVal_Escaped - * @param string $key The data field you would like to retrieve. Pulls the - * data from $this->normalized if it is found to be something. - * @return mixed The normalized and escaped value of that $key. - */ - public function getVal_Escaped( $key ) { - if ( $this->isSomething( $key ) ) { - //TODO: If we ever start sanitizing in a more complicated way, we should move this - //off to a function and have both getVal_Escaped and sanitizeInput call that. - return htmlspecialchars( $this->normalized[$key], ENT_COMPAT, 'UTF-8', false ); - } else { - return null; - } - } - - /** - * getVal - * For Internal Use Only! External objects should use getVal_Escaped. + * Return the value at a key, or null if the key isn't populated. + * * @param string $key The data field you would like to retrieve directly * from $this->normalized. * @return mixed The normalized value of that $key, or null if it isn't * something. */ - protected function getVal( $key ) { + public function getVal( $key ) { if ( $this->isSomething( $key ) ) { return $this->normalized[$key]; } else { diff --git a/gateway_common/gateway.adapter.php b/gateway_common/gateway.adapter.php index 84b980d..8d7ed15 100644 --- a/gateway_common/gateway.adapter.php +++ b/gateway_common/gateway.adapter.php @@ -241,7 +241,7 @@ $this->setValidationErrors( $this->getOriginalValidationErrors() ); - $this->unstaged_data = $this->dataObj->getDataEscaped(); + $this->unstaged_data = $this->dataObj->getData(); $this->staged_data = $this->unstaged_data; // checking to see if we have an edit token in the request... @@ -924,7 +924,7 @@ $this->regenerateOrderID(); // Pull anything changed from dataObj - $this->unstaged_data = $this->dataObj->getDataEscaped(); + $this->unstaged_data = $this->dataObj->getData(); $this->staged_data = $this->unstaged_data; $this->stageData(); } @@ -2125,7 +2125,7 @@ } public function getFormClass() { - $ffname = $this->dataObj->getVal_Escaped( 'ffname' ); + $ffname = $this->dataObj->getVal( 'ffname' ); if ( strpos( $ffname, 'error') === 0 || strpos( $ffname, 'maintenance') === 0 ) { return 'MustacheErrorForm'; @@ -2315,7 +2315,7 @@ * our DonationData object. */ function refreshGatewayValueFromSource( $val ) { - $refreshed = $this->dataObj->getVal_Escaped( $val ); + $refreshed = $this->dataObj->getVal( $val ); if ( !is_null($refreshed) ){ $this->staged_data[$val] = $refreshed; $this->unstaged_data[$val] = $refreshed; @@ -3377,7 +3377,7 @@ // sequence number tacked on to the end for uniqueness $dataObj = ( $dataObj ) ?: $this->dataObj; - $ctid = $dataObj->getVal_Escaped( 'contribution_tracking_id' ); + $ctid = $dataObj->getVal( 'contribution_tracking_id' ); if ( !$ctid ) { $ctid = $dataObj->saveContributionTrackingData(); } diff --git a/tests/phpunit/Adapter/GlobalCollect/GlobalCollectTest.php b/tests/phpunit/Adapter/GlobalCollect/GlobalCollectTest.php index 12dc77d..4c46ab2 100644 --- a/tests/phpunit/Adapter/GlobalCollect/GlobalCollectTest.php +++ b/tests/phpunit/Adapter/GlobalCollect/GlobalCollectTest.php @@ -396,10 +396,10 @@ $exposed = TestingAccessWrapper::newFromObject( $gateway ); // Desired vars were written into normalized data. - $this->assertEquals( $ctid, $exposed->dataObj->getVal_Escaped( 'contribution_tracking_id' ) ); + $this->assertEquals( $ctid, $exposed->dataObj->getVal( 'contribution_tracking_id' ) ); // Language was not overwritten. - $this->assertEquals( 'ca', $exposed->dataObj->getVal_Escaped( 'language' ) ); + $this->assertEquals( 'ca', $exposed->dataObj->getVal( 'language' ) ); } /** -- To view, visit https://gerrit.wikimedia.org/r/342047 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ifefc3f5990992730098dede918ccee269cad0194 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/DonationInterface Gerrit-Branch: master Gerrit-Owner: Awight <awi...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits