https://bugzilla.wikimedia.org/show_bug.cgi?id=14531
--- Comment #8 from Marcin Cieślak <[email protected]> 2012-03-12 04:39:55 UTC --- Comment on attachment 10221 --> https://bugzilla.wikimedia.org/attachment.cgi?id=10221 a simple patch to the Message class - use << >> now instead of < > The original form of placeholder "<message-name>" introduced in r64182 has a pretty interesting property: It survives most kinds of parsing and sanitizing: > print wfMessage("i-dont-exist-aevar")->plain(); <i-dont-exist-aevar> > print wfMessage("i-dont-exist-aevar")->escaped(); <i-dont-exist-aevar> > print wfMessage("i-dont-exist-aevar")->parse(); <i-dont-exist-aevar> > print wfMessage("i-dont-exist-aevar")->parseAsBlock(); <p><i-dont-exist-aevar> </p> > $z = wfMessage("i-dont-exist-aevar")->plain(); > print Sanitizer::removeHTMLtags($z); <i-dont-exist-aevar> > print Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z)); <i-dont-exist-aevar> > print > Sanitizer::stripAllTags(Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z))); <i-dont-exist-aevar> > print > wfMessage('pagetitle')->rawParams(Sanitizer::stripAllTags(Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z)))); <i-dont-exist-aevar> – TrunkWiki The above is possible because Message uses doubleEncode = false with htmlspecialchars() and therefore it magically does not get quoted again. The <<i-dont-exist-aevar>> form isn't that great anymore: > print Sanitizer::removeHTMLtags("<<i-dont-exist>>"); <<i>></i> > print wfMessage("i-dont-exist-asdasd")->text(); <<i-dont-exist-asdasd>> > print Sanitizer::normalizeCharReferences( > Sanitizer::removeHTMLtags("<<i-dont-exist-ever>>")); <<i>></i> > $z = wfMessage("i-dont-exist-aevar")->plain(); > print > wfMessage('pagetitle')->rawParams(Sanitizer::stripAllTags(Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z)))); <> - MiniTest > print wfMessage("i-dont-exist-aevar")->parse(); <<i>></i> it seems like the <<form>> as done by the patch isn't the resistant to various transformations; therefore it is more difficult to spot. It would be best to have a special value (similar to SQL NULL) or exception object that would be transferred down through all sanitizing, escaping and quoting functions. Not sure if this is worth the effort; and probably would not be bug-free. For now, it seems that the current method is very simple way to produce an eye-alterting message despite of various transformations. It does not have to be always very pretty though. a WONTFIX? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
