Page MenuHomePhabricator
Create Task
Maniphest T159075

Fix character escaping throughout the extension files
Closed, ResolvedPublic
Actions

Description

In T115095#3004776, @Bawolff wrote:

Review of 631882e3779 of Newsletter extension (Jan 29, 2017)

  • "NewsletterTablePager.php" line 96 - Run htmlspecialchars after you truncate, not before. In this particular case, the worst that could happen would be for an entity reference to get cut off in the middle, but nonetheless escaping should always be the last thing you do.
  • NewsletterDiffEngine - The messages for the h4 headers are not escaped.
  • "SpecialNewsletter.php" line 142 - newsletter-subtitlelinks-foo message is not escaped when it is the active link.
  • "SpecialNewsletter.php" line 207 - Double escaping newsletter-do-unsubscribe.
  • "SpecialNewsletter.php" line 220 - Double escaping newsletter-do-subscribe.
  • "NewsletterContent.php" line 253 - Double escaping in the OOUI button labels (5 instances)
  • "NewsletterTablePager.php" line 33 - getFieldNames() has double escaping.

Details

SubjectRepoBranchLines +/-
Removing double escaping from getFieldNames()mediawiki/extensions/Newslettermaster+3 -3
Removing double escaping of OOUI labelsmediawiki/extensions/Newslettermaster+5 -5
Removing double escaping of (un)subscribe messagemediawiki/extensions/Newslettermaster+2 -2
Escaping newsletter-subtitlelinks-foo messagemediawiki/extensions/Newslettermaster+1 -1
h4 messages not escaped in NewsletterDiffEnginemediawiki/extensions/Newslettermaster+3 -3
Escaping newsletter-subtitlelinks-foo messagemediawiki/extensions/Newslettermaster+1 -1
Converting $values to HTML entity after truncatingmediawiki/extensions/Newslettermaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

01tonythomas created this task.Feb 26 2017, 5:26 PM
mvmohitverma54 subscribed.Feb 26 2017, 6:06 PM

i want to try to fix them as its my first time contribution how to get source code for this help me getting it here tony

Aklapper added a comment.Feb 26 2017, 7:56 PM
In T159075#3056201, @mvmohitverma54 wrote:

i want to try to fix them as its my first time contribution how to get source code for this help me getting it here tony

Welcome @mvmohitverma54! Please see https://www.mediawiki.org/wiki/How_to_become_a_MediaWiki_hacker for general questions (like how to get the code) which are not specifically related to the topic of this task. (And using punctuation is also welcome - makes things easier to read! :) ) Thanks a lot! Looking forward to your patch!

01tonythomas moved this task from Backlog to Security Review (production blockers) on the MediaWiki-extensions-Newsletter board.Feb 26 2017, 8:13 PM
01tonythomas mentioned this in T115095: Security review of Newsletter extension.Feb 26 2017, 8:16 PM
gerritbot subscribed.Feb 26 2017, 8:22 PM

Change 339963 had a related patch set uploaded (by D3r1ck01):
Converting $values to HTML entity after truncating

https://gerrit.wikimedia.org/r/339963

gerritbot added a project: Patch-For-Review.Feb 26 2017, 8:22 PM
gerritbot added a comment.Feb 26 2017, 8:26 PM

Change 339963 merged by jenkins-bot:
Converting $values to HTML entity after truncating

https://gerrit.wikimedia.org/r/339963

xSavitar updated the task description. (Show Details)Feb 26 2017, 8:27 PM
gerritbot added a comment.Feb 26 2017, 8:46 PM

Change 339967 had a related patch set uploaded (by D3r1ck01):
Escaping newsletter-subtitlelinks-foo message

https://gerrit.wikimedia.org/r/339967

gerritbot added a comment.Feb 26 2017, 11:30 PM

Change 339967 abandoned by D3r1ck01:
Escaping newsletter-subtitlelinks-foo message

Reason:
Will submit a different PS instead.

https://gerrit.wikimedia.org/r/339967

gerritbot added a comment.Feb 26 2017, 11:32 PM

Change 340054 had a related patch set uploaded (by D3r1ck01):
h4 messages not escaped in NewsletterDiffEngine

https://gerrit.wikimedia.org/r/340054

xSavitar subscribed.Feb 26 2017, 11:39 PM
Srijancse subscribed.Feb 28 2017, 5:47 AM
xSavitar claimed this task.Feb 28 2017, 1:39 PM

Taking this one but anyone is free to still do any task in the list if its undone since its a many-in-one task.

01tonythomas added a comment.Feb 28 2017, 2:15 PM

@Bawolff : I was just wondering why we would need ->escape() here

$output .= Html::element( 'h4', [],
					$this->msg( 'newsletter-diff-descheader' )->text() );

as its just an extension message - without any extra params. Probably I am missing something ?

gerritbot added a comment.Feb 28 2017, 2:30 PM

Change 340314 had a related patch set uploaded (by D3r1ck01; owner: Alangi Derick):
Escaping newsletter-subtitlelinks-foo message

https://gerrit.wikimedia.org/r/340314

xSavitar updated the task description. (Show Details)Feb 28 2017, 2:47 PM
xSavitar updated the task description. (Show Details)
xSavitar updated the task description. (Show Details)
xSavitar added a comment.Feb 28 2017, 3:05 PM

@Bawolff, I don't think 'default' => $this->msg( 'newsletter-do-unsubscribe' )->escaped(), is double escaped and I have tested and I am sure. As per this task: "SpecialNewsletter.php" line 207 - Double escaping newsletter-do-unsubscribe. Have a second look and let me know :)

01tonythomas added a comment.Feb 28 2017, 3:07 PM
In T159075#3061223, @D3r1ck01 wrote:

@Bawolff, I don't think 'default' => $this->msg( 'newsletter-do-unsubscribe' )->escaped(), is double escaped and I have tested and I am sure. As per this task: "SpecialNewsletter.php" line 207 - Double escaping newsletter-do-unsubscribe. Have a second look and let me know :)

For this case, my assumption is that HTMLForm::factory() might be doing the magic of escaping.

xSavitar added a comment.Feb 28 2017, 3:19 PM
In T159075#3061236, @01tonythomas wrote:
In T159075#3061223, @D3r1ck01 wrote:

@Bawolff, I don't think 'default' => $this->msg( 'newsletter-do-unsubscribe' )->escaped(), is double escaped and I have tested and I am sure. As per this task: "SpecialNewsletter.php" line 207 - Double escaping newsletter-do-unsubscribe. Have a second look and let me know :)

For this case, my assumption is that HTMLForm::factory() might be doing the magic of escaping.

@01tonythomas, when I remove escaped() and replace with text(), its no longer escaped but when escaped() is allowed, the string is actually escaped. So what magic does HTMLForm::factory() do that doesn't affect text() or are my missing something?

Bawolff added a comment.Feb 28 2017, 10:48 PM

Sorry folks I think I made a mistake here. The h4 does indeed appear to already be properly escaped (since Html::element escapes things).

gerritbot added a comment.Feb 28 2017, 11:04 PM

Change 340054 abandoned by D3r1ck01:
h4 messages not escaped in NewsletterDiffEngine

Reason:
Abandoning PS since its no longer needed.

https://gerrit.wikimedia.org/r/340054

xSavitar updated the task description. (Show Details)Feb 28 2017, 11:21 PM
In T159075#3063023, @Bawolff wrote:

Sorry folks I think I made a mistake here. The h4 does indeed appear to already be properly escaped (since Html::element escapes things).

Ok @Bawolff. I just marked it as done. Thanks for your feedback :)

xSavitar updated the task description. (Show Details)Feb 28 2017, 11:47 PM
xSavitar updated the task description. (Show Details)Mar 1 2017, 8:19 PM
gerritbot added a comment.Mar 1 2017, 8:22 PM

Change 340314 merged by jenkins-bot:
Escaping newsletter-subtitlelinks-foo message

https://gerrit.wikimedia.org/r/340314

gerritbot added a comment.Mar 1 2017, 8:49 PM

Change 340566 had a related patch set uploaded (by D3r1ck01; owner: Alangi Derick):
[mediawiki/extensions/Newsletter] Removing double escaping of (un)subscribe message

https://gerrit.wikimedia.org/r/340566

xSavitar updated the task description. (Show Details)Mar 1 2017, 8:56 PM
xSavitar updated the task description. (Show Details)Mar 1 2017, 9:15 PM
gerritbot added a comment.Mar 1 2017, 9:17 PM

Change 340566 merged by D3r1ck01:
[mediawiki/extensions/Newsletter] Removing double escaping of (un)subscribe message

https://gerrit.wikimedia.org/r/340566

gerritbot added a comment.Mar 1 2017, 9:29 PM

Change 340604 had a related patch set uploaded (by D3r1ck01; owner: Alangi Derick):
[mediawiki/extensions/Newsletter] Double escaping of OOUI labels

https://gerrit.wikimedia.org/r/340604

xSavitar updated the task description. (Show Details)Mar 1 2017, 9:31 PM
gerritbot added a comment.Mar 1 2017, 9:54 PM

Change 340604 merged by D3r1ck01:
[mediawiki/extensions/Newsletter] Removing double escaping of OOUI labels

https://gerrit.wikimedia.org/r/340604

xSavitar updated the task description. (Show Details)Mar 1 2017, 9:56 PM
gerritbot added a comment.Mar 1 2017, 10:05 PM

Change 340650 had a related patch set uploaded (by D3r1ck01; owner: Alangi Derick):
[mediawiki/extensions/Newsletter] Removing double escaping from getFieldNames()

https://gerrit.wikimedia.org/r/340650

xSavitar updated the task description. (Show Details)Mar 1 2017, 10:22 PM
Bawolff closed this task as Resolved.Mar 1 2017, 10:23 PM

Looks good.

gerritbot added a comment.Mar 1 2017, 10:25 PM

Change 340650 merged by D3r1ck01:
[mediawiki/extensions/Newsletter] Removing double escaping from getFieldNames()

https://gerrit.wikimedia.org/r/340650

Ricordisamoa mentioned this in T76291: gerritbot should report both author and committer.Mar 2 2017, 6:44 PM
gerritbot added a comment.Mar 2 2017, 7:16 PM

Change 340801 had a related patch set uploaded (by Paladox):
[operations/puppet] Gerrit: Fix bot so that it checks against *-name and *-username

https://gerrit.wikimedia.org/r/340801

Qgil awarded a token.Mar 13 2017, 4:54 PM
xSavitar awarded a token.Oct 7 2017, 5:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits