[MediaWiki-commits] [Gerrit] Do escaping before output on Newsletter special pages - change (mediawiki...Newsletter)
jenkins-bot has submitted this change and it was merged. Change subject: Do escaping before output on Newsletter special pages .. Do escaping before output on Newsletter special pages Bug: T116382 Change-Id: I7be05662b2da9aa0ef348835393c353147cc4c54 --- M includes/specials/SpecialNewsletter.php M includes/specials/pagers/NewsletterManageTablePager.php M includes/specials/pagers/NewsletterTablePager.php 3 files changed, 16 insertions(+), 15 deletions(-) Approvals: Siebrand: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/specials/SpecialNewsletter.php b/includes/specials/SpecialNewsletter.php index d9072ba..6007b7b 100644 --- a/includes/specials/SpecialNewsletter.php +++ b/includes/specials/SpecialNewsletter.php @@ -122,8 +122,9 @@ 'mainpage' => array( 'type' => 'info', 'label-message' => 'newsletter-view-mainpage', - 'default' => Linker::link( $mainTitle, $mainTitle->getPrefixedText() ) . ' ' . - $this->msg( 'parentheses' )->rawParams( + 'default' => Linker::link( $mainTitle, htmlspecialchars( $mainTitle->getPrefixedText() ) ) + . ' ' + . $this->msg( 'parentheses' )->rawParams( Linker::link( $mainTitle, 'hist', array(), array( 'action' => 'history' ) ) )->escaped(), 'raw' => true, diff --git a/includes/specials/pagers/NewsletterManageTablePager.php b/includes/specials/pagers/NewsletterManageTablePager.php index 69169f8..152d9fe 100644 --- a/includes/specials/pagers/NewsletterManageTablePager.php +++ b/includes/specials/pagers/NewsletterManageTablePager.php @@ -26,10 +26,10 @@ public function getFieldNames() { if ( $this->fieldNames === null ) { $this->fieldNames = array( - 'nl_id' => $this->msg( 'newsletter-manage-header-name' )->text(), - 'nlp_publisher_id' => $this->msg( 'newsletter-manage-header-publisher' )->text(), - 'permissions' => $this->msg( 'newsletter-manage-header-permissions' )->text(), - 'action' => $this->msg( 'newsletter-manage-header-action' )->text(), + 'nl_id' => $this->msg( 'newsletter-manage-header-name' )->escaped(), + 'nlp_publisher_id' => $this->msg( 'newsletter-manage-header-publisher' )->escaped(), + 'permissions' => $this->msg( 'newsletter-manage-header-permissions' )->escaped(), + 'action' => $this->msg( 'newsletter-manage-header-action' )->escaped(), ); } return $this->fieldNames; @@ -71,7 +71,7 @@ } case 'nlp_publisher_id': - return User::newFromId( $value )->getName(); + return htmlspecialchars( User::newFromId( $value )->getName() ); case 'permissions' : return HTML::element( @@ -82,7 +82,7 @@ 'id' => 'newslettermanage', 'checked' => $isPublisher ? true : false, ) - ) . $this->msg( 'newsletter-publisher-radiobutton-label' )->text(); + ) . $this->msg( 'newsletter-publisher-radiobutton-label' )->escaped(); case 'action': if ( $isPublisher ) { diff --git a/includes/specials/pagers/NewsletterTablePager.php b/includes/specials/pagers/NewsletterTablePager.php index 2b3a315..f359b71 100644 --- a/includes/specials/pagers/NewsletterTablePager.php +++ b/includes/specials/pagers/NewsletterTablePager.php @@ -22,15 +22,15 @@ public function getFieldNames() { if ( $this->fieldNames === null ) { $this->fieldNames = array( - 'nl_name' => $this->msg( 'newsletter-header-name' )->text(), - 'nl_desc' => $this->msg( 'newsletter-header-description' )->text(), - 'nl_frequency' => $this->msg ( 'newsletter-header-frequency' )->text(), - 'subscriber_count' => $this->msg( 'newsletter-header-subscriber_count' )->text(), +
[MediaWiki-commits] [Gerrit] Do escaping before output on Newsletter special pages - change (mediawiki...Newsletter)
Glaisher has uploaded a new change for review. https://gerrit.wikimedia.org/r/248361 Change subject: Do escaping before output on Newsletter special pages .. Do escaping before output on Newsletter special pages Bug: T116382 Change-Id: I7be05662b2da9aa0ef348835393c353147cc4c54 --- M includes/specials/SpecialNewsletter.php M includes/specials/pagers/NewsletterManageTablePager.php M includes/specials/pagers/NewsletterTablePager.php 3 files changed, 17 insertions(+), 16 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Newsletter refs/changes/61/248361/1 diff --git a/includes/specials/SpecialNewsletter.php b/includes/specials/SpecialNewsletter.php index d9072ba..d016884 100644 --- a/includes/specials/SpecialNewsletter.php +++ b/includes/specials/SpecialNewsletter.php @@ -43,7 +43,7 @@ list( $id, $action ) = $params; $out = $this->getOutput(); - $this->newsletter = Newsletter::newFromID( (int)$id ); + $this->newsletter = Newsletter::newFromID( $id ); if ( $this->newsletter ) { @@ -122,8 +122,9 @@ 'mainpage' => array( 'type' => 'info', 'label-message' => 'newsletter-view-mainpage', - 'default' => Linker::link( $mainTitle, $mainTitle->getPrefixedText() ) . ' ' . - $this->msg( 'parentheses' )->rawParams( + 'default' => Linker::link( $mainTitle, htmlspecialchars( $mainTitle->getPrefixedText() ) ) + . ' ' + . $this->msg( 'parentheses' )->rawParams( Linker::link( $mainTitle, 'hist', array(), array( 'action' => 'history' ) ) )->escaped(), 'raw' => true, diff --git a/includes/specials/pagers/NewsletterManageTablePager.php b/includes/specials/pagers/NewsletterManageTablePager.php index 69169f8..152d9fe 100644 --- a/includes/specials/pagers/NewsletterManageTablePager.php +++ b/includes/specials/pagers/NewsletterManageTablePager.php @@ -26,10 +26,10 @@ public function getFieldNames() { if ( $this->fieldNames === null ) { $this->fieldNames = array( - 'nl_id' => $this->msg( 'newsletter-manage-header-name' )->text(), - 'nlp_publisher_id' => $this->msg( 'newsletter-manage-header-publisher' )->text(), - 'permissions' => $this->msg( 'newsletter-manage-header-permissions' )->text(), - 'action' => $this->msg( 'newsletter-manage-header-action' )->text(), + 'nl_id' => $this->msg( 'newsletter-manage-header-name' )->escaped(), + 'nlp_publisher_id' => $this->msg( 'newsletter-manage-header-publisher' )->escaped(), + 'permissions' => $this->msg( 'newsletter-manage-header-permissions' )->escaped(), + 'action' => $this->msg( 'newsletter-manage-header-action' )->escaped(), ); } return $this->fieldNames; @@ -71,7 +71,7 @@ } case 'nlp_publisher_id': - return User::newFromId( $value )->getName(); + return htmlspecialchars( User::newFromId( $value )->getName() ); case 'permissions' : return HTML::element( @@ -82,7 +82,7 @@ 'id' => 'newslettermanage', 'checked' => $isPublisher ? true : false, ) - ) . $this->msg( 'newsletter-publisher-radiobutton-label' )->text(); + ) . $this->msg( 'newsletter-publisher-radiobutton-label' )->escaped(); case 'action': if ( $isPublisher ) { diff --git a/includes/specials/pagers/NewsletterTablePager.php b/includes/specials/pagers/NewsletterTablePager.php index 2b3a315..f359b71 100644 --- a/includes/specials/pagers/NewsletterTablePager.php +++ b/includes/specials/pagers/NewsletterTablePager.php @@ -22,15 +22,15 @@ public function getFieldNames() { if ( $this->fieldNames === null ) { $this->fieldNames = array( - 'nl_name' => $this->msg( 'newsletter-header-name' )->text(),