[Wikitech-l] Question re. Html class : I ran into a problem correctly escaping the $content component

[Thomas Gries]

I recently try to modernize an extension [1] to use the /_Html _/class
and found a problem (at least for me) .
Like to receive your comments, and tips.


In several cases, I had to use Htlm::rawElement (*) instead of the safer
Html::element because of a nested <div> structure I want to generate like


<div id=outerdiv>
  outertext-with-&#160;-or-something-character

  <div id=innerdiv>
  innertext
  </div>

</div>


Html::rawElement( 'div',
  array( 'some-outer-attributes' => 'some-outer-attribute-values'),
  $outertext .
  Html:element( 'div'
      array( 'some-inner-attributes' => 'some-inner-attribute-values'),
      $innertext

)

After having compared Html methods rawElement and Element, and after
having asked around the #mediawiki
I found that I have to escape the content manually and could/should use
basically one of these two possibilities:

i) The #mediawiki recommended *htmlspecialchars*()

ii) Inside Html:element method I found
*
strtr( $contents, array(**
**  // There's no point in escaping quotes, >, etc. in the contents of**
**   // elements.**
**   '&' => '&amp;',**
**   '<' => '&lt;'**
**)*


*Both *are not suited for my case, when $outertext has this  "&#160;" 
character in it.

After looking around in class Html and class Xml I found,
that some of the methods use $wgContLang->normalize( $string ), and this
works for me, too.
I put this is into a private wrapper function escapeContent() =
*$wg**ContLang->normalize() (not shown here)
*


Html::rawElement( 'div',
  array( 'some-outer-attributes' => 'some-outer-attribute-values'),
*  ***$wg**ContLang->normalize****( $outertext ) .
  Html:element( 'div'
      array( 'some-inner-attributes' => 'some-inner-attribute-values'),
      $innertext

)


I am however not happy with that approach, because I do not know, if it
is correctly applied.

Therefore my questions to you:

1.    Is my approach of applying Html class and using ->normalize()
correct ?
2.    What could I do better, perhaps should I apply a certain
Sanitizer::method - or what else ?
3.     Perhaps I am fully wrong, then please guide me to find a correct
solution.

I will be available on #mediawiki during the evening hours (UTC+2;
Wikinaut )


[1] https://gerrit.wikimedia.org/r/#/c/67002/

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l