Page MenuHomePhabricator

SubPageList3 has raw HTML messages
Closed, ResolvedPublic

Description

The flow of this is really convoluted, but if you pass debug=true as an argument to the parser tag, then when it hits an error condition (easily creatable), then there are a bunch of wfMessage(...)->text().

These are also probably causing localized messages to show up in the parser cache, but that's a different issue.

<checkstyle version="6.5">
  <file name="./SubPageList3.class.php">
    <error line="159" severity="warning" message="Outputting user controlled HTML from Parser tag hook \SubPageList3::renderSubpageList3 (Caused by: ./SubPageList3.class.php +321; ./SubPageList3.class.php +320)" source="SecurityCheck-XSS"/>
  </file>
</checkstyle>