Page MenuHomePhabricator

SmiteSpam has lots of HTML messages
Closed, ResolvedPublic

Description

I quickly reviewed SpecialSmiteSpamTrustedUsers.php and a ton of messages are raw HTML into the form. They should be escaped.

Event Timeline

Change 326243 had a related patch set uploaded (by MtDu):
Escape raw HTML messages in SmiteSpam SpecialPages

https://gerrit.wikimedia.org/r/326243

Change 326243 merged by jenkins-bot:
Escape raw HTML messages in SmiteSpam SpecialPages

https://gerrit.wikimedia.org/r/326243

@Legoktm, @Aklapper: Could you please resolve the conflict between this task and T152852? @FilipGCI says that the GCI task was claimed by them (https://gerrit.wikimedia.org/r/#/c/326282/). I haven't registered as a GCI mentor, so I don't know what's happening there.

@polybuildr I don't know, maybe i should abandon it. Btw, i think there should'nt be "->escaped" becouse code will look like that "Hello%20World", and it should'nt be in Special Pages

@FilipGCI, I don't think that's what happens. The %20 kind of escaping is for use in URLs (such as php's urlencode), but this is escaping for HTML (< gets converted to &lt; and other things like that). Take a look at https://www.mediawiki.org/wiki/Manual:Messages_API#Output_modes_and_escaping.

[For the records; sorted out the GCI aspects of this task.]