https://bugzilla.wikimedia.org/show_bug.cgi?id=28816
--- Comment #9 from Brion Vibber <[email protected]> 2011-11-28 16:15:58 UTC --- A few more little notes: UiBuilder.createInputs doesn't escape the field names when building HTML. While this shouldn't be a problem, it feels sketchy especially since the field names are received from the API and probably aren't being validated here. UiBuilder.setHelp could fail interestingly if literal "$1" occurs in the help URL. Should escape input strings for the regex replacement here? UiBuilder.input doesn't escape names etc. There's also a bit that doesn't escape a value var, which here is fixed but could change in the future to a parameter; safer to make sure it's escaped. getRequestData() doesn't %-escape field names. Shouldn't matter, but you never know. smartEscape() isn't very clear about what structures it's pretty-printing (appears to be 'areas of indentation' and 'indented lines' but the regexes are hard to read, and it wouldn't hurt to add a comment to that effect). updateQueryInfo() is missing a 'var' local var definition for 'data', and sets a global variable instead. There are a bunch of 'for (var x in obj)' loops: for ( var prop in data.paraminfo ) { this is unsafe if object prototypes have been modified by some JS libraries. Recommend using $.map or $.each() here, which already covers the necessary logic. (otherwise use if(data.paraminfo.hasOwnProperty(prop)) on each iteration). merge() appears to be unused; it also looks like $.extend() can accept multiple arguments, making it unnecessary. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
