[MediaWiki-commits] [Gerrit] SECURITY: Escape in Html::expandAttributes - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: SECURITY: Escape in Html::expandAttributes
..
SECURITY: Escape in Html::expandAttributes
Escape characters in attributes, so we don't confuse post-processing,
like LanguageConverter.
Bug: T73394
Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
---
M includes/Html.php
M tests/parser/parserTests.txt
2 files changed, 7 insertions(+), 4 deletions(-)
Approvals:
CSteipp: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/Html.php b/includes/Html.php
index 4b69885..effc488 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -600,17 +600,20 @@
} else {
// Apparently we need to entity-encode \n, \r,
\t, although the
// spec doesn't mention that. Since we're
doing strtr() anyway,
- // and we don't need escaped here, we may as
well not call
- // htmlspecialchars().
+ // we may as well not call htmlspecialchars().
// @todo FIXME: Verify that we actually need to
// escape \n\r\t here, and explain why, exactly.
#
// We could call Sanitizer::encodeAttribute()
for this, but we
// don't because we're stubborn and like our
marginal savings on
// byte size from not having to encode
unnecessary quotes.
+ // The only difference between this transform
and the one by
+ // Sanitizer::encodeAttribute() is '' is only
encoded here if
+ // $wgWellFormedXml is set, and ' is not
encoded.
$map = array(
'' = 'amp;',
'' = 'quot;',
+ '' = 'gt;',
\n = '#10;',
\r = '#13;',
\t = '#9;'
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index 2b7f4cd..f660678 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -13901,7 +13901,7 @@
/ul
/div
-h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text textedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text gt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
psection 1
/p
h2span class=mw-headline id=text_.3C_texttext lt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: text lt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
@@ -19608,7 +19608,7 @@
/div
h2span class=mw-headline id=Hellosup
class=in-h2Hello/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: Helloedit/aspan
class=mw-editsection-bracket]/span/span/h2
-h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;gt;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
!! end
--
To view, visit https://gerrit.wikimedia.org/r/201222
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: CSteipp cste...@wikimedia.org
Gerrit-Reviewer: CSteipp cste...@wikimedia.org
Gerrit-Reviewer: Cscott canan...@wikimedia.org
Gerrit-Reviewer: Daniel Friesen dan...@nadir-seen-fire.com
Gerrit-Reviewer: Jackmcbarn jackmcb...@gmail.com
Gerrit-Reviewer: jenkins-bot
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] SECURITY: Escape in Html::expandAttributes - change (mediawiki/core)
CSteipp has uploaded a new change for review.
https://gerrit.wikimedia.org/r/201222
Change subject: SECURITY: Escape in Html::expandAttributes
..
SECURITY: Escape in Html::expandAttributes
Escape characters in attributes, so we don't confuse post-processing,
like LanguageConverter.
Bug: T73394
Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
---
M includes/Html.php
M tests/parser/parserTests.txt
2 files changed, 7 insertions(+), 4 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/22/201222/1
diff --git a/includes/Html.php b/includes/Html.php
index 4b69885..effc488 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -600,17 +600,20 @@
} else {
// Apparently we need to entity-encode \n, \r,
\t, although the
// spec doesn't mention that. Since we're
doing strtr() anyway,
- // and we don't need escaped here, we may as
well not call
- // htmlspecialchars().
+ // we may as well not call htmlspecialchars().
// @todo FIXME: Verify that we actually need to
// escape \n\r\t here, and explain why, exactly.
#
// We could call Sanitizer::encodeAttribute()
for this, but we
// don't because we're stubborn and like our
marginal savings on
// byte size from not having to encode
unnecessary quotes.
+ // The only difference between this transform
and the one by
+ // Sanitizer::encodeAttribute() is '' is only
encoded here if
+ // $wgWellFormedXml is set, and ' is not
encoded.
$map = array(
'' = 'amp;',
'' = 'quot;',
+ '' = 'gt;',
\n = '#10;',
\r = '#13;',
\t = '#9;'
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index 2b7f4cd..f660678 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -13901,7 +13901,7 @@
/ul
/div
-h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text textedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text gt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
psection 1
/p
h2span class=mw-headline id=text_.3C_texttext lt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: text lt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
@@ -19608,7 +19608,7 @@
/div
h2span class=mw-headline id=Hellosup
class=in-h2Hello/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: Helloedit/aspan
class=mw-editsection-bracket]/span/span/h2
-h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;gt;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
!! end
--
To view, visit https://gerrit.wikimedia.org/r/201222
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: CSteipp cste...@wikimedia.org
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] SECURITY: Escape in Html::expandAttributes - change (mediawiki/core)
CSteipp has uploaded a new change for review.
https://gerrit.wikimedia.org/r/201027
Change subject: SECURITY: Escape in Html::expandAttributes
..
SECURITY: Escape in Html::expandAttributes
Escape characters in attributes, so we don't confuse post-processing,
like LanguageConverter.
Bug: T73394
Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
---
M includes/Html.php
M tests/parser/parserTests.txt
2 files changed, 7 insertions(+), 4 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/27/201027/1
diff --git a/includes/Html.php b/includes/Html.php
index b1d4f00..ca0c76e 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -531,17 +531,20 @@
} else {
// Apparently we need to entity-encode \n, \r,
\t, although the
// spec doesn't mention that. Since we're
doing strtr() anyway,
- // and we don't need escaped here, we may as
well not call
- // htmlspecialchars().
+ // we may as well not call htmlspecialchars().
// @todo FIXME: Verify that we actually need to
// escape \n\r\t here, and explain why, exactly.
#
// We could call Sanitizer::encodeAttribute()
for this, but we
// don't because we're stubborn and like our
marginal savings on
// byte size from not having to encode
unnecessary quotes.
+ // The only difference between this transform
and the one by
+ // Sanitizer::encodeAttribute() is '' is only
encoded here if
+ // $wgWellFormedXml is set, and ' is not
encoded.
$map = array(
'' = 'amp;',
'' = 'quot;',
+ '' = 'gt;',
\n = '#10;',
\r = '#13;',
\t = '#9;'
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index e8e71b8..c3e972e 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -11642,7 +11642,7 @@
/ul
/div
-h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text textedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text gt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
psection 1
/p
h2span class=mw-headline id=text_.3C_texttext lt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: text lt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
@@ -16905,7 +16905,7 @@
/div
h2span class=mw-headline id=Hellosup
class=in-h2Hello/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: Helloedit/aspan
class=mw-editsection-bracket]/span/span/h2
-h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;gt;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
!! end
--
To view, visit https://gerrit.wikimedia.org/r/201027
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: CSteipp cste...@wikimedia.org
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] SECURITY: Escape in Html::expandAttributes - change (mediawiki/core)
CSteipp has uploaded a new change for review.
https://gerrit.wikimedia.org/r/201037
Change subject: SECURITY: Escape in Html::expandAttributes
..
SECURITY: Escape in Html::expandAttributes
Escape characters in attributes, so we don't confuse post-processing,
like LanguageConverter.
Bug: T73394
Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
---
M includes/Html.php
M tests/parser/parserTests.txt
2 files changed, 7 insertions(+), 4 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/37/201037/1
diff --git a/includes/Html.php b/includes/Html.php
index 2187b5b..7fa901f 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -525,17 +525,20 @@
} else {
# Apparently we need to entity-encode \n, \r,
\t, although the
# spec doesn't mention that. Since we're doing
strtr() anyway,
- # and we don't need escaped here, we may as
well not call
- # htmlspecialchars().
+ # we may as well not call htmlspecialchars().
# @todo FIXME: Verify that we actually need to
# escape \n\r\t here, and explain why, exactly.
#
# We could call Sanitizer::encodeAttribute()
for this, but we
# don't because we're stubborn and like our
marginal savings on
# byte size from not having to encode
unnecessary quotes.
+ # The only difference between this transform
and the one by
+ # Sanitizer::encodeAttribute() is '' is only
encoded here if
+ # $wgWellFormedXml is set, and ' is not encoded.
$map = array(
'' = 'amp;',
'' = 'quot;',
+ '' = 'gt;',
\n = '#10;',
\r = '#13;',
\t = '#9;'
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index c833ef0..22fe118 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -4506,7 +4506,7 @@
li class=toclevel-1 tocsection-5a href=#text_.22_textspan
class=tocnumber5/span span class=toctexttext text/span/a/li
/ul
/td/tr/table
-h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text textedit/a]/span span class=mw-headline
id=text_.3E_text text gt; text /span/h2
+h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text gt; textedit/a]/span span class=mw-headline
id=text_.3E_text text gt; text /span/h2
psection 1
/p
h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: text lt; textedit/a]/span span class=mw-headline
id=text_.3C_text text lt; text /span/h2
@@ -9165,7 +9165,7 @@
/ul
/td/tr/table
h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: Helloedit/a]/span span class=mw-headline id=Hello sup
class=in-h2Hello/sup /span/h2
-h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;Evilbyeedit/a]/span span class=mw-headline
id=b.22.3EEvilbye sup bgt;Evilbye/sup /span/h2
+h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;gt;Evilbyeedit/a]/span span class=mw-headline
id=b.22.3EEvilbye sup bgt;Evilbye/sup /span/h2
!! end
--
To view, visit https://gerrit.wikimedia.org/r/201037
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_19
Gerrit-Owner: CSteipp cste...@wikimedia.org
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] SECURITY: Escape in Html::expandAttributes - change (mediawiki/core)
CSteipp has uploaded a new change for review.
https://gerrit.wikimedia.org/r/201016
Change subject: SECURITY: Escape in Html::expandAttributes
..
SECURITY: Escape in Html::expandAttributes
Escape characters in attributes, so we don't confuse post-processing,
like LanguageConverter.
Bug: T73394
Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
---
M includes/Html.php
M tests/parser/parserTests.txt
2 files changed, 7 insertions(+), 4 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/16/201016/1
diff --git a/includes/Html.php b/includes/Html.php
index 1e16e39..2e14814 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -546,17 +546,20 @@
} else {
// Apparently we need to entity-encode \n, \r,
\t, although the
// spec doesn't mention that. Since we're
doing strtr() anyway,
- // and we don't need escaped here, we may as
well not call
- // htmlspecialchars().
+ // we may as well not call htmlspecialchars().
// @todo FIXME: Verify that we actually need to
// escape \n\r\t here, and explain why, exactly.
#
// We could call Sanitizer::encodeAttribute()
for this, but we
// don't because we're stubborn and like our
marginal savings on
// byte size from not having to encode
unnecessary quotes.
+ // The only difference between this transform
and the one by
+ // Sanitizer::encodeAttribute() is '' is only
encoded here if
+ // $wgWellFormedXml is set, and ' is not
encoded.
$map = array(
'' = 'amp;',
'' = 'quot;',
+ '' = 'gt;',
\n = '#10;',
\r = '#13;',
\t = '#9;'
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index c90c4f6..f915922 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -12944,7 +12944,7 @@
/ul
/div
-h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text textedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text gt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
psection 1
/p
h2span class=mw-headline id=text_.3C_texttext lt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: text lt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
@@ -18472,7 +18472,7 @@
/div
h2span class=mw-headline id=Hellosup
class=in-h2Hello/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: Helloedit/aspan
class=mw-editsection-bracket]/span/span/h2
-h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;gt;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
!! end
--
To view, visit https://gerrit.wikimedia.org/r/201016
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_24
Gerrit-Owner: CSteipp cste...@wikimedia.org
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] SECURITY: Escape in Html::expandAttributes - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: SECURITY: Escape in Html::expandAttributes
..
SECURITY: Escape in Html::expandAttributes
Escape characters in attributes, so we don't confuse post-processing,
like LanguageConverter.
Bug: T73394
Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
---
M includes/Html.php
M tests/parser/parserTests.txt
2 files changed, 7 insertions(+), 4 deletions(-)
Approvals:
CSteipp: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/Html.php b/includes/Html.php
index 2187b5b..7fa901f 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -525,17 +525,20 @@
} else {
# Apparently we need to entity-encode \n, \r,
\t, although the
# spec doesn't mention that. Since we're doing
strtr() anyway,
- # and we don't need escaped here, we may as
well not call
- # htmlspecialchars().
+ # we may as well not call htmlspecialchars().
# @todo FIXME: Verify that we actually need to
# escape \n\r\t here, and explain why, exactly.
#
# We could call Sanitizer::encodeAttribute()
for this, but we
# don't because we're stubborn and like our
marginal savings on
# byte size from not having to encode
unnecessary quotes.
+ # The only difference between this transform
and the one by
+ # Sanitizer::encodeAttribute() is '' is only
encoded here if
+ # $wgWellFormedXml is set, and ' is not encoded.
$map = array(
'' = 'amp;',
'' = 'quot;',
+ '' = 'gt;',
\n = '#10;',
\r = '#13;',
\t = '#9;'
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index c833ef0..22fe118 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -4506,7 +4506,7 @@
li class=toclevel-1 tocsection-5a href=#text_.22_textspan
class=tocnumber5/span span class=toctexttext text/span/a/li
/ul
/td/tr/table
-h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text textedit/a]/span span class=mw-headline
id=text_.3E_text text gt; text /span/h2
+h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text gt; textedit/a]/span span class=mw-headline
id=text_.3E_text text gt; text /span/h2
psection 1
/p
h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: text lt; textedit/a]/span span class=mw-headline
id=text_.3C_text text lt; text /span/h2
@@ -9165,7 +9165,7 @@
/ul
/td/tr/table
h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: Helloedit/a]/span span class=mw-headline id=Hello sup
class=in-h2Hello/sup /span/h2
-h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;Evilbyeedit/a]/span span class=mw-headline
id=b.22.3EEvilbye sup bgt;Evilbye/sup /span/h2
+h2span class=editsection[a
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;gt;Evilbyeedit/a]/span span class=mw-headline
id=b.22.3EEvilbye sup bgt;Evilbye/sup /span/h2
!! end
--
To view, visit https://gerrit.wikimedia.org/r/201037
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_19
Gerrit-Owner: CSteipp cste...@wikimedia.org
Gerrit-Reviewer: CSteipp cste...@wikimedia.org
Gerrit-Reviewer: Cscott canan...@wikimedia.org
Gerrit-Reviewer: Daniel Friesen dan...@nadir-seen-fire.com
Gerrit-Reviewer: Jackmcbarn jackmcb...@gmail.com
Gerrit-Reviewer: jenkins-bot
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] SECURITY: Escape in Html::expandAttributes - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: SECURITY: Escape in Html::expandAttributes
..
SECURITY: Escape in Html::expandAttributes
Escape characters in attributes, so we don't confuse post-processing,
like LanguageConverter.
Bug: T73394
Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
---
M includes/Html.php
M tests/parser/parserTests.txt
2 files changed, 7 insertions(+), 4 deletions(-)
Approvals:
CSteipp: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/Html.php b/includes/Html.php
index 1e16e39..2e14814 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -546,17 +546,20 @@
} else {
// Apparently we need to entity-encode \n, \r,
\t, although the
// spec doesn't mention that. Since we're
doing strtr() anyway,
- // and we don't need escaped here, we may as
well not call
- // htmlspecialchars().
+ // we may as well not call htmlspecialchars().
// @todo FIXME: Verify that we actually need to
// escape \n\r\t here, and explain why, exactly.
#
// We could call Sanitizer::encodeAttribute()
for this, but we
// don't because we're stubborn and like our
marginal savings on
// byte size from not having to encode
unnecessary quotes.
+ // The only difference between this transform
and the one by
+ // Sanitizer::encodeAttribute() is '' is only
encoded here if
+ // $wgWellFormedXml is set, and ' is not
encoded.
$map = array(
'' = 'amp;',
'' = 'quot;',
+ '' = 'gt;',
\n = '#10;',
\r = '#13;',
\t = '#9;'
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index c90c4f6..f915922 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -12944,7 +12944,7 @@
/ul
/div
-h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text textedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text gt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
psection 1
/p
h2span class=mw-headline id=text_.3C_texttext lt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: text lt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
@@ -18472,7 +18472,7 @@
/div
h2span class=mw-headline id=Hellosup
class=in-h2Hello/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: Helloedit/aspan
class=mw-editsection-bracket]/span/span/h2
-h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;gt;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
!! end
--
To view, visit https://gerrit.wikimedia.org/r/201016
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_24
Gerrit-Owner: CSteipp cste...@wikimedia.org
Gerrit-Reviewer: CSteipp cste...@wikimedia.org
Gerrit-Reviewer: jenkins-bot
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] SECURITY: Escape in Html::expandAttributes - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: SECURITY: Escape in Html::expandAttributes
..
SECURITY: Escape in Html::expandAttributes
Escape characters in attributes, so we don't confuse post-processing,
like LanguageConverter.
Bug: T73394
Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
---
M includes/Html.php
M tests/parser/parserTests.txt
2 files changed, 7 insertions(+), 4 deletions(-)
Approvals:
CSteipp: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/Html.php b/includes/Html.php
index b1d4f00..ca0c76e 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -531,17 +531,20 @@
} else {
// Apparently we need to entity-encode \n, \r,
\t, although the
// spec doesn't mention that. Since we're
doing strtr() anyway,
- // and we don't need escaped here, we may as
well not call
- // htmlspecialchars().
+ // we may as well not call htmlspecialchars().
// @todo FIXME: Verify that we actually need to
// escape \n\r\t here, and explain why, exactly.
#
// We could call Sanitizer::encodeAttribute()
for this, but we
// don't because we're stubborn and like our
marginal savings on
// byte size from not having to encode
unnecessary quotes.
+ // The only difference between this transform
and the one by
+ // Sanitizer::encodeAttribute() is '' is only
encoded here if
+ // $wgWellFormedXml is set, and ' is not
encoded.
$map = array(
'' = 'amp;',
'' = 'quot;',
+ '' = 'gt;',
\n = '#10;',
\r = '#13;',
\t = '#9;'
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index e8e71b8..c3e972e 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -11642,7 +11642,7 @@
/ul
/div
-h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text textedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=text_.3E_texttext gt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: text gt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
psection 1
/p
h2span class=mw-headline id=text_.3C_texttext lt; text/spanspan
class=mw-editsectionspan class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: text lt; textedit/aspan
class=mw-editsection-bracket]/span/span/h2
@@ -16905,7 +16905,7 @@
/div
h2span class=mw-headline id=Hellosup
class=in-h2Hello/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=1 title=Edit
section: Helloedit/aspan
class=mw-editsection-bracket]/span/span/h2
-h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
+h2span class=mw-headline id=b.22.3EEvilbyesup
bgt;Evilbye/sup/spanspan class=mw-editsectionspan
class=mw-editsection-bracket[/spana
href=/index.php?title=Parser_testamp;action=editamp;section=2 title=Edit
section: bquot;gt;Evilbyeedit/aspan
class=mw-editsection-bracket]/span/span/h2
!! end
--
To view, visit https://gerrit.wikimedia.org/r/201027
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: CSteipp cste...@wikimedia.org
Gerrit-Reviewer: CSteipp cste...@wikimedia.org
Gerrit-Reviewer: Cscott canan...@wikimedia.org
Gerrit-Reviewer: Daniel Friesen dan...@nadir-seen-fire.com
Gerrit-Reviewer: Jackmcbarn jackmcb...@gmail.com
Gerrit-Reviewer: jenkins-bot
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
