Self explanatory. We currently have 23 warnings which I wasn't able to fix.
Description
Details
Event Timeline
Change 439918 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] [WIP] Make AbuseFilter pass phan taint-check
Change 444020 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/AbuseFilter@master] Minor escaping fixes
That patch + a patch to OOUI marking all the __construct parameters as escapes_html should fix all but 1 of the warnings.
The last warning seems to be a bug in how phan handles pass by reference parameters triggered by ChangesList::insertLog in core (For some unknown reason)
Change 439918 abandoned by Daimona Eaytoy:
[WIP] Make AbuseFilter pass phan taint-check
Reason:
I7fd1798030d83292ce46543e25c0c431ec345a11 solved these problems
Change 444020 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Minor escaping fixes
Change 444452 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Force phan-taint-check to think LogFormatter stuff is safe for html
Change 444453 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] minor escaping fix. html escape the timestamp in RC
it passes locally for me, so once all these things are merged, and a new version of phan-taint-check is tagged, this bug should be done.
Change 444452 merged by jenkins-bot:
[mediawiki/core@master] Force phan-taint-check to think LogFormatter stuff is safe for html
Change 444453 merged by jenkins-bot:
[mediawiki/core@master] ChangesList: HTML escape the timestamp
From https://integration.wikimedia.org/ci/job/mwext-php70-phan-seccheck-docker-non-voting/1143/console I see that we still have two errors. I can't determine the reason though.
The "./includes/Views/AbuseFilterViewTestBatch.php" one will be fixed once next version pf phan-taint-check is released (which hasn't happened yet)
https://integration.wikimedia.org/ci/job/mwext-php70-phan-seccheck-docker/2926/consoleFull is a run with master of phan-taint-check-plugin that shows no errors :)
@Bawolff should I tag a new release of the plugin? Or was there something you were waiting on?
Nice to know, we'll wait then. Do you think it'd be good to have it as voting, or is it enough to keep it as non-voting?
Change 452587 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/AbuseFilter@master] Update phan-taint-check to 1.3.0. Hopefully should pass now
Hmm, now we have:
Calling method \OutputPage::addHTML() in \AbuseFilterViewExamine::showExaminer that outputs using tainted argument $html. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./includes/Views/AbuseFilterViewExamine.php +194; ./includes/Views/AbuseFilterViewExamine.php +195; ./includes/Views/AbuseFilterViewExamine.php +213; ./includes/Views/AbuseFilterViewExamine.php +218; ./includes/Views/AbuseFilterViewExamine.php +220)
Guess I'll have to figure out what's up with that.
Change 452587 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Update phan-taint-check to 1.3.0. Hopefully should pass now
Is this something wrong on OOUI's end?
Note: now we also have another error on SpecialAbuseLog. Seems to be caused by the legend element at line 502, maybe a minor message escaping problem?
Change 454033 had a related patch set uploaded (by Umherirrender; owner: Umherirrender):
[mediawiki/extensions/AbuseFilter@master] Avoid variable reuse to pass taint-check
It seems the value from WebRequest::getText is the "problem" here.
Does it needs escaping when passed to Xml::textarea?
Change 454033 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Avoid variable reuse to pass taint-check
Change 454202 had a related patch set uploaded (by Umherirrender; owner: Umherirrender):
[integration/config@master] Make seccheck voting for AbuseFilter
Change 454202 merged by jenkins-bot:
[integration/config@master] Make seccheck voting for AbuseFilter