https://bugzilla.wikimedia.org/show_bug.cgi?id=57270
--- Comment #12 from Chris Steipp <[email protected]> --- Ok, I've finished reviewing all of the codes, so this should be the last of the issues: includes/View/PostActionMenu.php * Document getAction()'s $content is unescaped includes/View/History/HistoryRenderer.php * Document that keys of getTimespans are passed raw into html output templates/history-line.html.php * please escape $class templates/post.html.php * document that the return of AbstractRevision::getModerationState() is written to raw html, or escape it here * exploitable xss: escape usernames when used in attribute * double quote all attributes (htmlspecialchars does not escape ') includes/View/Post.php * editPostButton(), hidePostButton, deletePostButton, etc, use escaped() instead of plain(), to comply with assumptions of PostActionMenu::getButton() templates/topic.html.php * double quote attributes * document AbstractRevision::getModerationState() is written to raw html, or escape it here * use escaped() messages in call to getButton() * echo wfMessage( 'flow-topic-comments', $comments )->text(); should use escaped() In general for the templates, it would be great if you all could standardize where the escaping for the items written into the template are escaped. There's a mix of escaping parameter before you render the template, in the template, and relying on functions called from within the templates to produce correct html for the context. That makes it really hard to catch errors. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
