On Wed, Apr 11, 2012 at 12:27 AM, Kim Eik <k...@heldig.org> wrote: > I have created a patch for the gallery tag and have been given the > following review. > > https://gerrit.wikimedia.org/r/4609 > > * JavaScript injection: you can inject javascript: URIs which execute > code when clicked > * plain links ("link=Firefox") are taken as relative URLs which will > randomly work or not work depending on where they're viewed from > * need parser test cases to demo it working > > So my questions are: > > What would be the recommended way of stripping away javascript from > uris? Are there any shared functions which do exactly this? >
You should check to see how the 'link' parameter is handled on standalone images. In Parser::makeImage() look for the "case 'link':"; it uses existing regexes to check if the link matches allowed URL schemes, and if not tries to treat it as a page title. And how would i solve the plain links problem? do a regex check for an > absolute uri? e.g http://example.org/foo/bar? > And what is "parser test cases", phpunit tests? or some other form of > testing? > Parser test cases live in tests/parser/parserTests.txt, and can be run both through the phpunit test suite and through the standalone parserTests.php -- so a parser test failure should trigger a Jenkins test failure. Each test case specifies input wikitext and output HTML, to confirm that things operate as expected. -- brion _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
