--- Comment #5 from Bartosz Dziewoński <matma....@gmail.com> ---
(In reply to Chris Steipp from comment #0)
> The only thing I'd really like to see changed is in
> php/widgets/InputWidget.php, the "sanitizeValue" function doesn't do any
> (security) sanitization, which I think that could cause confusion later on.
> If the name can't be changed, maybe make the comments explicit that it's not
> security sanitization?
> It would also be nice to have some extra sanitization built in from the
> start, which we can't do in the Html/Xml classes since they're abused in odd
> ways, but have bitten some developers (SemanticForms had bunch of issues
> because they assumed these happened):
> * Validate tag name will be parsed in html as a single tag name-- so doesn't
> contain whitespace, /, >, or null.
> * Validate attribute names don't contain whitespace, /, =, >
> There are also a couple of places you're adding style attributes directly.
> Is it possible to avoid that? My long-term plan is to have MediaWiki set a
> Content Security Policy that doesn't allow inline css, so I'd prefer to not
> introduce new uses of it, if possible.
So in the end, there are only three such places in PHP code:
* LabelElement. This one already came up earlier as a code quality
issue, actually. Should be fixable, but preferably not right now :)
Filed bug 73677 so it's not forgotten.
* GridLayout. Alas, inline styles are a core part of how it works and
the only way to fix it would be to remove the class entirely.
* widgets.php demo, where it's used on a GridLayout (and is also
You are receiving this mail because:
You are on the CC list for the bug.
Wikibugs-l mailing list