"Brion VIBBER" changed the status of MediaWiki.r105122 to "fixme" and commented
it.
URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/105122#c27070
Old Status: new
> New Status: fixme
Commit summary for MediaWiki.r105122:
Adding new debugging toolbar
Needs a UI cleanup still, but for the most part is working.
Brion VIBBER's comment:
A lot of the HTML building in the JS side is inserting server-provided strings
directly into raw HTML. These strings are actually plaintext, and should be
escaped.
Best practice is to set text and attributes using jQuery methods. Instead of:
html += '<li><span class="mw-debug-right">' + file.size + '</span> ' +
file.name + '</li>';
consider something like:
$('<li>')
.append( $('<span class="mw-debug-right"></span>').text(file.size) )
.append( ' ' + file.name )
.appendTo($list);
and return elements or a jQuery wrapper directly instead of HTML.
If you need to create HTML source directly, then make liberal use of
mw.html.escape() or mw.html.element() helper functions (the former is like
htmlspecialchars(), the latter is like Html::element()).
_______________________________________________
MediaWiki-CodeReview mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
