Page MenuHomePhabricator
Files F61667506

02-T395949.patch
SomeRandomDeveloper
Actions

Authored By
SomeRandomDeveloper
Jun 5 2025, 3:43 PM
Size
2 KB
Referenced Files
None
Subscribers
None

02-T395949.patch
View Options

From a6f68f9781aea527721a683466a74839ad144b47 Mon Sep 17 00:00:00 2001
From: SomeRandomDeveloper <thisisnotmyname275@gmail.com>
Date: Tue, 3 Jun 2025 20:16:13 +0200
Subject: [PATCH] SECURITY: Sanitize style parameter properly
Also use Html to build the iframe element, which simplifies
sanitizing other parameters.
Raise the MW requirement to 1.43 to support namespaced imports
for the Html and Sanitizer classes.
Bump the version to 1.5.
Bug: T395949
---
extension.json | 4 ++--
src/GoogleDocs4MW.php | 33 +++++++++++++++++++--------------
2 files changed, 21 insertions(+), 16 deletions(-)
diff --git a/extension.json b/extension.json
index c31be57..2db0ae0 100644
--- a/extension.json
+++ b/extension.json
@@ -1,6 +1,6 @@
{
"name": "GoogleDocs4MW",
- "version": "1.4",
+ "version": "1.5",
"author": [
"Jack Phoenix"
],
@@ -9,7 +9,7 @@
"descriptionmsg": "googledocs4mw-desc",
"type": "parserhook",
"requires": {
- "MediaWiki": ">= 1.31.0"
+ "MediaWiki": ">= 1.43.0"
},
"MessagesDirs": {
"GoogleDocs4MW": [
diff --git a/src/GoogleDocs4MW.php b/src/GoogleDocs4MW.php
index 56f8dd7..747c858 100644
--- a/src/GoogleDocs4MW.php
+++ b/src/GoogleDocs4MW.php
@@ -1,4 +1,8 @@
<?php
+
+use MediaWiki\Html\Html;
+use MediaWiki\Parser\Sanitizer;
+
/**
* GoogleDocs4MW parser extension - adds <googlespreadsheet> tag for displaying
* Google Docs' spreadsheets
@@ -25,22 +29,23 @@ class GoogleDocs4MW {
*
* @param string $input
* @param array $argv
- * @return $output
+ * @return string $output
*/
public static function renderGoogleSpreadsheet( $input, $argv ) {
- $width = isset( $argv['width'] ) ? $argv['width'] : 500;
- $height = isset( $argv['height'] ) ? $argv['height'] : 300;
- $style = isset( $argv['style'] ) ? $argv['style'] : 'width:100%';
- $key = htmlspecialchars( $input, ENT_QUOTES );
-
- $output = '<iframe class="googlespreadsheetframe" width="' .
- intval( $width ) . '" height="' .
- intval( $height ) . '" style="' .
- htmlspecialchars( $style, ENT_QUOTES ) .
- '" src="https://docs.google.com/spreadsheets/d/' . $key .
- '/htmlembed?widget=true"></iframe>';
-
- return $output;
+ $width = $argv['width'] ?? 500;
+ $height = $argv['height'] ?? 300;
+ $style = $argv['style'] ?? 'width:100%';
+ $style = Sanitizer::checkCss( $style );
+
+ $src = 'https://docs.google.com/spreadsheets/d/' . $input . '/htmlembed?widget=true';
+
+ return Html::element( 'iframe', [
+ 'class' => 'googlespreadsheetframe',
+ 'width' => intval( $width ),
+ 'height' => intval( $height ),
+ 'style' => $style,
+ 'src' => $src,
+ ] );
}
}
--
2.49.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
20731651
Default Alt Text
02-T395949.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits