https://bugzilla.wikimedia.org/show_bug.cgi?id=18719
Summary: Do not unavoidably HTML-escape link attributes
Product: MediaWiki
Version: 1.15-svn
Platform: All
OS/Version: All
Status: NEW
Keywords: need-review, patch
Severity: enhancement
Priority: Normal
Component: General/Unknown
AssignedTo: [email protected]
ReportedBy: [email protected]
Created an attachment (id=6096)
--> (https://bugzilla.wikimedia.org/attachment.cgi?id=6096)
Patch to Xml.php and Linker.php against r50336
A significant number of the legitimate/unavoidable uses of hardcoded HTML in
the codebase are to hardcode links; it is necessary to use hardcoding instead
of the functions from Xml.php or Linker.php because all these functions
HTML-escape attribute values. This means it is impossible to use
Linker::link() or Xml::tags() to add a link when you need to add javascript
onclick handlers or other things that need raw HTML. The HTML-escaping needs
to be avoidable.
This patch adds a parameter through the call stack right down to
Xml::expandAttributes() to optionally circumvent the call to
Sanitizer::encodeAttribute(); by the time this bubbles up to Linker::link()
it's wrapped in one of the available $options values. Tested.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
