[MediaWiki-commits] [Gerrit] mediawiki/core[master]: Use Sanitizer::stripAllTags( $x ) instead of html_entity_dec...
jenkins-bot has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/363987 ) Change subject: Use Sanitizer::stripAllTags( $x ) instead of html_entity_decode( strip_tags( $x ) ) .. Use Sanitizer::stripAllTags( $x ) instead of html_entity_decode( strip_tags( $x ) ) We have a utility function for this, so let's use it. What I don't understand though is why Sanitizer uses custom PHP implementations for both tag stripping and entity decoding, instead of the built-in functions. If there's a security reason for this or the built-ins are inadequate, that's fine, but then that should be documented (and we should possibly ban usage of the built-ins). Change-Id: I2ba2ecd388cb3d9cd2360ecaa236f3d444f0eabf --- M includes/api/ApiErrorFormatter.php M includes/exception/LocalizedException.php M includes/installer/CliInstaller.php M includes/specials/SpecialRecentchanges.php 4 files changed, 7 insertions(+), 9 deletions(-) Approvals: Krinkle: Looks good to me, approved jenkins-bot: Verified Jforrester: Looks good to me, but someone else must approve diff --git a/includes/api/ApiErrorFormatter.php b/includes/api/ApiErrorFormatter.php index 5484a78..7fb1352 100644 --- a/includes/api/ApiErrorFormatter.php +++ b/includes/api/ApiErrorFormatter.php @@ -254,7 +254,7 @@ $ret = preg_replace( '!!', '"', $text ); // Strip tags and decode. - $ret = html_entity_decode( strip_tags( $ret ), ENT_QUOTES | ENT_HTML5 ); + $ret = Sanitizer::stripAllTags( $ret ); return $ret; } diff --git a/includes/exception/LocalizedException.php b/includes/exception/LocalizedException.php index cbdb53e..d2cb5d1 100644 --- a/includes/exception/LocalizedException.php +++ b/includes/exception/LocalizedException.php @@ -56,7 +56,7 @@ // customizations, and make a basic attempt to turn markup into text. $msg = $this->getMessageObject()->inLanguage( 'en' )->useDatabase( false )->text(); $msg = preg_replace( '!!', '"', $msg ); - $msg = html_entity_decode( strip_tags( $msg ), ENT_QUOTES | ENT_HTML5 ); + $msg = Sanitizer::stripAllTags( $msg ); parent::__construct( $msg, $code, $previous ); } diff --git a/includes/installer/CliInstaller.php b/includes/installer/CliInstaller.php index 661c3ec..af55dbb 100644 --- a/includes/installer/CliInstaller.php +++ b/includes/installer/CliInstaller.php @@ -180,7 +180,7 @@ $text = preg_replace( '/(.*?)<\/a>/', '$2 $1', $text ); - return html_entity_decode( strip_tags( $text ), ENT_QUOTES ); + return Sanitizer::stripAllTags( $text ); } /** diff --git a/includes/specials/SpecialRecentchanges.php b/includes/specials/SpecialRecentchanges.php index d856d4b..e7d5e66 100644 --- a/includes/specials/SpecialRecentchanges.php +++ b/includes/specials/SpecialRecentchanges.php @@ -202,10 +202,6 @@ * @return Array Tag data */ protected function buildChangeTagList() { - function stripAllHtml( $input ) { - return trim( html_entity_decode( strip_tags( $input ) ) ); - } - $explicitlyDefinedTags = array_fill_keys( ChangeTags::listExplicitlyDefinedTags(), 0 ); $softwareActivatedTags = array_fill_keys( ChangeTags::listSoftwareActivatedTags(), 0 ); $tagStats = ChangeTags::tagUsageStatistics(); @@ -228,8 +224,10 @@ $result[] = [ 'name' => $tagName, - 'label' => stripAllHtml( ChangeTags::tagDescription( $tagName, $this->getContext() ) ), - 'description' => $desc ? stripAllHtml( $desc->parse() ) : '', + 'label' => Sanitizer::stripAllTags( + ChangeTags::tagDescription( $tagName, $this->getContext() ) + ), + 'description' => $desc ? Sanitizer::stripAllTags( $desc->parse() ) : '', 'cssClass' => Sanitizer::escapeClass( 'mw-tag-' . $tagName ), 'hits' => $hits, ]; -- To view, visit https://gerrit.wikimedia.org/r/363987 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I2ba2ecd388cb3d9cd2360ecaa236f3d444f0eabf Gerrit-PatchSet: 2 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: CatropeGerrit-Reviewer: Jforrester Gerrit-Reviewer: Krinkle Gerrit-Reviewer: MaxSem Gerrit-Reviewer:
[MediaWiki-commits] [Gerrit] mediawiki/core[master]: Use Sanitizer::stripAllTags( $x ) instead of html_entity_dec...
Catrope has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/363987 ) Change subject: Use Sanitizer::stripAllTags( $x ) instead of html_entity_decode( strip_tags( $x ) ) .. Use Sanitizer::stripAllTags( $x ) instead of html_entity_decode( strip_tags( $x ) ) We have a utility function for this, so let's use it. What I don't understand though is why Sanitizer uses custom PHP implementations for both tag stripping and entity decoding, instead of the built-in functions. If there's a security reason for this or the built-ins are inadequate, that's fine, but then that should be documented (and we should possibly ban usage of the built-ins). Change-Id: I2ba2ecd388cb3d9cd2360ecaa236f3d444f0eabf --- M includes/api/ApiErrorFormatter.php M includes/exception/LocalizedException.php M includes/installer/CliInstaller.php M includes/specials/SpecialRecentchanges.php 4 files changed, 5 insertions(+), 9 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/87/363987/1 diff --git a/includes/api/ApiErrorFormatter.php b/includes/api/ApiErrorFormatter.php index 5484a78..7fb1352 100644 --- a/includes/api/ApiErrorFormatter.php +++ b/includes/api/ApiErrorFormatter.php @@ -254,7 +254,7 @@ $ret = preg_replace( '!!', '"', $text ); // Strip tags and decode. - $ret = html_entity_decode( strip_tags( $ret ), ENT_QUOTES | ENT_HTML5 ); + $ret = Sanitizer::stripAllTags( $ret ); return $ret; } diff --git a/includes/exception/LocalizedException.php b/includes/exception/LocalizedException.php index cbdb53e..d2cb5d1 100644 --- a/includes/exception/LocalizedException.php +++ b/includes/exception/LocalizedException.php @@ -56,7 +56,7 @@ // customizations, and make a basic attempt to turn markup into text. $msg = $this->getMessageObject()->inLanguage( 'en' )->useDatabase( false )->text(); $msg = preg_replace( '!!', '"', $msg ); - $msg = html_entity_decode( strip_tags( $msg ), ENT_QUOTES | ENT_HTML5 ); + $msg = Sanitizer::stripAllTags( $msg ); parent::__construct( $msg, $code, $previous ); } diff --git a/includes/installer/CliInstaller.php b/includes/installer/CliInstaller.php index 661c3ec..af55dbb 100644 --- a/includes/installer/CliInstaller.php +++ b/includes/installer/CliInstaller.php @@ -180,7 +180,7 @@ $text = preg_replace( '/(.*?)<\/a>/', '$2 $1', $text ); - return html_entity_decode( strip_tags( $text ), ENT_QUOTES ); + return Sanitizer::stripAllTags( $text ); } /** diff --git a/includes/specials/SpecialRecentchanges.php b/includes/specials/SpecialRecentchanges.php index d856d4b..11b2954 100644 --- a/includes/specials/SpecialRecentchanges.php +++ b/includes/specials/SpecialRecentchanges.php @@ -202,10 +202,6 @@ * @return Array Tag data */ protected function buildChangeTagList() { - function stripAllHtml( $input ) { - return trim( html_entity_decode( strip_tags( $input ) ) ); - } - $explicitlyDefinedTags = array_fill_keys( ChangeTags::listExplicitlyDefinedTags(), 0 ); $softwareActivatedTags = array_fill_keys( ChangeTags::listSoftwareActivatedTags(), 0 ); $tagStats = ChangeTags::tagUsageStatistics(); @@ -228,8 +224,8 @@ $result[] = [ 'name' => $tagName, - 'label' => stripAllHtml( ChangeTags::tagDescription( $tagName, $this->getContext() ) ), - 'description' => $desc ? stripAllHtml( $desc->parse() ) : '', + 'label' => Sanitizer::stripAllTags( ChangeTags::tagDescription( $tagName, $this->getContext() ) ), + 'description' => $desc ? Sanitizer::stripAllTags( $desc->parse() ) : '', 'cssClass' => Sanitizer::escapeClass( 'mw-tag-' . $tagName ), 'hits' => $hits, ]; -- To view, visit https://gerrit.wikimedia.org/r/363987 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I2ba2ecd388cb3d9cd2360ecaa236f3d444f0eabf Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Catrope___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits