MaxSem has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/390291 )
Change subject: Escape single quotes in attributes
......................................................................
Escape single quotes in attributes
Replaces a long excuse in Html class not to call
Sanitizer::encodeAttribute() with a call to it.
In anything security related, excuses are a sign that you're doing
something wrong:)
Change-Id: Icf7f60d8cd6ea757d8f1999d638b82733001f68a
(cherry picked from commit 47416c0a862fbbdb58b5942a3118f220546878da)
---
M includes/Html.php
M tests/parser/parserTests.txt
2 files changed, 18 insertions(+), 39 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/91/390291/1
diff --git a/includes/Html.php b/includes/Html.php
index 8fe4dbe..0988b05 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -544,28 +544,7 @@
if ( in_array( $key, self::$boolAttribs ) ) {
$ret .= " $key=\"\"";
} else {
- // Apparently we need to entity-encode \n, \r,
\t, although the
- // spec doesn't mention that. Since we're
doing strtr() anyway,
- // we may as well not call htmlspecialchars().
- // @todo FIXME: Verify that we actually need to
- // escape \n\r\t here, and explain why, exactly.
- // We could call Sanitizer::encodeAttribute()
for this, but we
- // don't because we're stubborn and like our
marginal savings on
- // byte size from not having to encode
unnecessary quotes.
- // The only difference between this transform
and the one by
- // Sanitizer::encodeAttribute() is ' is not
encoded.
- $map = [
- '&' => '&',
- '"' => '"',
- '>' => '>',
- // '<' allegedly allowed per spec
- // but breaks some tools if not escaped.
- "<" => '<',
- "\n" => ' ',
- "\r" => ' ',
- "\t" => '	'
- ];
- $ret .= " $key=$quote" . strtr( $value, $map )
. $quote;
+ $ret .= " $key=$quote" .
Sanitizer::encodeAttribute( $value ) . $quote;
}
}
return $ret;
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index 2064e03..dfbc8ce 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -4911,7 +4911,7 @@
news:'a'b''c''d e
!! html/php
<p><b>News:</b> Stuff here
-</p><p><a rel="nofollow" class="external free"
href="news:'a'b">news:'a'b</a><i>c</i>d e
+</p><p><a rel="nofollow" class="external free"
href="news:'a'b";>news:'a'b</a><i>c</i>d e
</p>
!! html/parsoid
<p><b>News:</b> Stuff here</p>
@@ -5557,8 +5557,8 @@
[//foo.org/bar'baz bang]
!! html/php
-<p><a rel="nofollow" class="external autonumber"
href="//foo.org/bar'baz">[1]</a>
-</p><p><a rel="nofollow" class="external text"
href="//foo.org/bar'baz">bang</a>
+<p><a rel="nofollow" class="external autonumber"
href="//foo.org/bar'baz">[1]</a>
+</p><p><a rel="nofollow" class="external text"
href="//foo.org/bar'baz">bang</a>
</p>
!! html/parsoid
<p><a rel="mw:ExtLink" href="//foo.org/bar'baz"></a></p>
@@ -7973,7 +7973,7 @@
!! wikitext
[[Lista d''e paise d''o munno]]
!! html/php
-<p><a
href="/index.php?title=Lista_d%27%27e_paise_d%27%27o_munno&action=edit&redlink=1"
class="new" title="Lista d''e paise d''o munno (page does not exist)">Lista
d''e paise d''o munno</a>
+<p><a
href="/index.php?title=Lista_d%27%27e_paise_d%27%27o_munno&action=edit&redlink=1"
class="new" title="Lista d''e paise d''o munno (page does not
exist)">Lista d''e paise d''o munno</a>
</p>
!! html/parsoid
<p><a rel="mw:WikiLink" href="./Lista_d''e_paise_d''o_munno" title="Lista d''e
paise d''o munno">Lista d''e paise d''o munno</a></p>
@@ -8038,9 +8038,9 @@
[[''Pentecoste''|''Pentecoste'']]
!! html/php
<p><a
href="/index.php?title=Special:Upload&wpDestFile=Denys_Savchenko_%27%27Pentecoste%27%27.jpg"
class="new" title="File:Denys Savchenko
''Pentecoste''.jpg">File:Denys Savchenko
<i>Pentecoste</i>.jpg</a>
-</p><p><a
href="/index.php?title=%27%27Pentecoste%27%27&action=edit&redlink=1"
class="new" title="''Pentecoste'' (page does not exist)">''Pentecoste''</a>
-</p><p><a
href="/index.php?title=%27%27Pentecoste%27%27&action=edit&redlink=1"
class="new" title="''Pentecoste'' (page does not exist)">Pentecoste</a>
-</p><p><a
href="/index.php?title=%27%27Pentecoste%27%27&action=edit&redlink=1"
class="new" title="''Pentecoste'' (page does not exist)"><i>Pentecoste</i></a>
+</p><p><a
href="/index.php?title=%27%27Pentecoste%27%27&action=edit&redlink=1"
class="new" title="''Pentecoste'' (page does not
exist)">''Pentecoste''</a>
+</p><p><a
href="/index.php?title=%27%27Pentecoste%27%27&action=edit&redlink=1"
class="new" title="''Pentecoste'' (page does not
exist)">Pentecoste</a>
+</p><p><a
href="/index.php?title=%27%27Pentecoste%27%27&action=edit&redlink=1"
class="new" title="''Pentecoste'' (page does not
exist)"><i>Pentecoste</i></a>
</p>
!! html/parsoid
<p><span class="mw-default-size" typeof="mw:Error mw:Image"
data-mw='{"errors":[{"key":"apierror-filedoesnotexist","message":"This image
does not exist."}]}'><a href="./File:Denys_Savchenko_''Pentecoste''.jpg"><img
resource="./File:Denys_Savchenko_''Pentecoste''.jpg"
src="./Special:FilePath/Denys_Savchenko_''Pentecoste''.jpg" height="220"
width="220"/></a></span></p>
@@ -8333,7 +8333,7 @@
!! wikitext
[[Something]]'nice
!! html
-<p><a href="/index.php?title=Something&action=edit&redlink=1"
class="new" title="Something (bet ele jaratılmag'an)">Something'nice</a>
+<p><a href="/index.php?title=Something&action=edit&redlink=1"
class="new" title="Something (bet ele jaratılmag'an)">Something'nice</a>
</p>
!! end
@@ -15817,7 +15817,7 @@
!! wikitext
[[:Category:MediaWiki User's Guide]]
!! html
-<p><a href="/wiki/Category:MediaWiki_User%27s_Guide" title="Category:MediaWiki
User's Guide">Category:MediaWiki User's Guide</a>
+<p><a href="/wiki/Category:MediaWiki_User%27s_Guide" title="Category:MediaWiki
User's Guide">Category:MediaWiki User's Guide</a>
</p>
!! end
@@ -16718,7 +16718,7 @@
<h2><span class="mw-headline" id="text_.26_text">text & text</span><span
class="mw-editsection"><span class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=3" title="Edit
section: text & text">edit</a><span
class="mw-editsection-bracket">]</span></span></h2>
<p>section 3
</p>
-<h2><span class="mw-headline" id="text_.27_text">text ' text</span><span
class="mw-editsection"><span class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=4" title="Edit
section: text ' text">edit</a><span
class="mw-editsection-bracket">]</span></span></h2>
+<h2><span class="mw-headline" id="text_.27_text">text ' text</span><span
class="mw-editsection"><span class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=4" title="Edit
section: text ' text">edit</a><span
class="mw-editsection-bracket">]</span></span></h2>
<p>section 4
</p>
<h2><span class="mw-headline" id="text_.22_text">text " text</span><span
class="mw-editsection"><span class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=5" title="Edit
section: text " text">edit</a><span
class="mw-editsection-bracket">]</span></span></h2>
@@ -29351,7 +29351,7 @@
<li class="toclevel-1 tocsection-3"><a href="#Тест"><span
class="tocnumber">3</span> <span class="toctext">Тест</span></a></li>
<li class="toclevel-1 tocsection-4"><a href="#Тест_2"><span
class="tocnumber">4</span> <span class="toctext">Тест</span></a></li>
<li class="toclevel-1 tocsection-5"><a href="#тест"><span
class="tocnumber">5</span> <span class="toctext">тест</span></a></li>
-<li class="toclevel-1 tocsection-6"><a
href="#Hey_<_#_"_>_%_:_'"><span class="tocnumber">6</span> <span
class="toctext">Hey < # " > % : '</span></a></li>
+<li class="toclevel-1 tocsection-6"><a
href="#Hey_<_#_"_>_%_:_'"><span class="tocnumber">6</span> <span
class="toctext">Hey < # " > % : '</span></a></li>
</ul>
</div>
@@ -29360,8 +29360,8 @@
<h2><span id=".D0.A2.D0.B5.D1.81.D1.82"></span><span class="mw-headline"
id="Тест">Тест</span><span class="mw-editsection"><span
class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=3" title="Edit
section: Тест">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<h2><span id=".D0.A2.D0.B5.D1.81.D1.82_2"></span><span class="mw-headline"
id="Тест_2">Тест</span><span class="mw-editsection"><span
class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=4" title="Edit
section: Тест">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<h2><span id=".D1.82.D0.B5.D1.81.D1.82"></span><span class="mw-headline"
id="тест">тест</span><span class="mw-editsection"><span
class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=5" title="Edit
section: тест">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
-<h2><span id="Hey_.3C_.23_.22_.3E_.25_:_.27"></span><span class="mw-headline"
id="Hey_<_#_"_>_%_:_'">Hey < # " > % : '</span><span
class="mw-editsection"><span class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=6" title="Edit
section: Hey < # " > % : '">edit</a><span
class="mw-editsection-bracket">]</span></span></h2>
-<p><a href="#Foo_bar">#Foo bar</a> <a href="#foo_Bar">#foo Bar</a> <a
href="#Тест">#Тест</a> <a href="#тест">#тест</a> <a
href="#Hey_<_#_"_>_%_:_'">#Hey < # " > % : '</a>
+<h2><span id="Hey_.3C_.23_.22_.3E_.25_:_.27"></span><span class="mw-headline"
id="Hey_<_#_"_>_%_:_'">Hey < # " > % : '</span><span
class="mw-editsection"><span class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=6" title="Edit
section: Hey < # " > % : '">edit</a><span
class="mw-editsection-bracket">]</span></span></h2>
+<p><a href="#Foo_bar">#Foo bar</a> <a href="#foo_Bar">#foo Bar</a> <a
href="#Тест">#Тест</a> <a href="#тест">#тест</a> <a
href="#Hey_<_#_"_>_%_:_'">#Hey < # " > % : '</a>
</p><p>💩 <span id="💩"></span>
</p><p><a href="#啤酒">#啤酒</a> <a href="#啤酒">#啤酒</a>
</p>
@@ -29407,7 +29407,7 @@
<h2><span id="Тест"></span><span class="mw-headline"
id=".D0.A2.D0.B5.D1.81.D1.82">Тест</span><span class="mw-editsection"><span
class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=3" title="Edit
section: Тест">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<h2><span id="Тест_2"></span><span class="mw-headline"
id=".D0.A2.D0.B5.D1.81.D1.82_2">Тест</span><span class="mw-editsection"><span
class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=4" title="Edit
section: Тест">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<h2><span id="тест"></span><span class="mw-headline"
id=".D1.82.D0.B5.D1.81.D1.82">тест</span><span class="mw-editsection"><span
class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=5" title="Edit
section: тест">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
-<h2><span id="Hey_<_#_"_>_%_:_'"></span><span class="mw-headline"
id="Hey_.3C_.23_.22_.3E_.25_:_.27">Hey < # " > % :
'</span><span class="mw-editsection"><span
class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=6" title="Edit
section: Hey < # " > % : '">edit</a><span
class="mw-editsection-bracket">]</span></span></h2>
+<h2><span id="Hey_<_#_"_>_%_:_'"></span><span class="mw-headline"
id="Hey_.3C_.23_.22_.3E_.25_:_.27">Hey < # " > % :
'</span><span class="mw-editsection"><span
class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=6" title="Edit
section: Hey < # " > % : '">edit</a><span
class="mw-editsection-bracket">]</span></span></h2>
<p><a href="#Foo_bar">#Foo bar</a> <a href="#foo_Bar">#foo Bar</a> <a
href="#.D0.A2.D0.B5.D1.81.D1.82">#Тест</a> <a
href="#.D1.82.D0.B5.D1.81.D1.82">#тест</a> <a
href="#Hey_.3C_.23_.22_.3E_.25_:_.27">#Hey < # " > % : '</a>
</p><p>.F0.9F.92.A9 <span id=".F0.9F.92.A9"></span>
</p><p><a href="#.E5.95.A4.E9.85.92">#啤酒</a> <a
href="#.E5.95.A4.E9.85.92">#啤酒</a>
@@ -29445,7 +29445,7 @@
<li class="toclevel-1 tocsection-3"><a href="#Тест"><span
class="tocnumber">3</span> <span class="toctext">Тест</span></a></li>
<li class="toclevel-1 tocsection-4"><a href="#Тест_2"><span
class="tocnumber">4</span> <span class="toctext">Тест</span></a></li>
<li class="toclevel-1 tocsection-5"><a href="#тест"><span
class="tocnumber">5</span> <span class="toctext">тест</span></a></li>
-<li class="toclevel-1 tocsection-6"><a
href="#Hey_<_#_"_>_%_:_'"><span class="tocnumber">6</span> <span
class="toctext">Hey < # " > % : '</span></a></li>
+<li class="toclevel-1 tocsection-6"><a
href="#Hey_<_#_"_>_%_:_'"><span class="tocnumber">6</span> <span
class="toctext">Hey < # " > % : '</span></a></li>
</ul>
</div>
@@ -29454,8 +29454,8 @@
<h2><span class="mw-headline" id="Тест">Тест</span><span
class="mw-editsection"><span class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=3" title="Edit
section: Тест">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<h2><span class="mw-headline" id="Тест_2">Тест</span><span
class="mw-editsection"><span class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=4" title="Edit
section: Тест">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<h2><span class="mw-headline" id="тест">тест</span><span
class="mw-editsection"><span class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=5" title="Edit
section: тест">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
-<h2><span class="mw-headline" id="Hey_<_#_"_>_%_:_'">Hey < # "
> % : '</span><span class="mw-editsection"><span
class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=6" title="Edit
section: Hey < # " > % : '">edit</a><span
class="mw-editsection-bracket">]</span></span></h2>
-<p><a href="#Foo_bar">#Foo bar</a> <a href="#foo_Bar">#foo Bar</a> <a
href="#Тест">#Тест</a> <a href="#тест">#тест</a> <a
href="#Hey_<_#_"_>_%_:_'">#Hey < # " > % : '</a>
+<h2><span class="mw-headline" id="Hey_<_#_"_>_%_:_'">Hey < # "
> % : '</span><span class="mw-editsection"><span
class="mw-editsection-bracket">[</span><a
href="/index.php?title=Parser_test&action=edit&section=6" title="Edit
section: Hey < # " > % : '">edit</a><span
class="mw-editsection-bracket">]</span></span></h2>
+<p><a href="#Foo_bar">#Foo bar</a> <a href="#foo_Bar">#foo Bar</a> <a
href="#Тест">#Тест</a> <a href="#тест">#тест</a> <a
href="#Hey_<_#_"_>_%_:_'">#Hey < # " > % : '</a>
</p><p>💩 <span id="💩"></span>
</p><p><a href="#啤酒">#啤酒</a> <a href="#啤酒">#啤酒</a>
</p>
--
To view, visit https://gerrit.wikimedia.org/r/390291
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Icf7f60d8cd6ea757d8f1999d638b82733001f68a
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_30
Gerrit-Owner: MaxSem <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
