User "Brion VIBBER" posted a comment on MediaWiki.r98892. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/98892#c23760 Commit summary:
Followup r98578 - expect nulls Comment: Problem seems to come about by directly manipulating an EditPage instance's member variables in a hook, so there's no interface boundary for EditPage to validate the input. TranslateEditAddons::editBoxes() is setting $object->textbox1 directly... looks like normally it gets set inside (from Article::getContent() in EditPage::initialiseForm() or via EditPage::safeUnicodeInput from form input). It can in some places be set via an outparam on EditFormPreloadText, which should probably validate. The hook appears to be getting called via 'EditPage::showEditForm:initial'.... editBoxes() seems to change the initial text as a side-effect, and also return some HTML chunks to display somewhere? Would the initial text be better set via the EditFormInitialText or EditFormPreloadText hooks which appear to exist for that sort of purpose? We could then do some validity checks around them, or add a public method to set the text which would validate which the hook can use. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
