Page MenuHomePhabricator

Suppress or fix non-double escape phan-taint-check warnings for MW core
Open, MediumPublic

Description

As the first step to getting phan-taint-check running on MW core, we need to get rid of the false (and true!) positives in MW core.

As first step, ignore the double escaping warnings, to make this task more manageable (We can exclude those warnings in initial deployment to build process)

Event Timeline

Bawolff created this task.Feb 17 2019, 10:09 AM

Change 462839 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Avoid rawParams() in Special:Emailuser

https://gerrit.wikimedia.org/r/462839

Change 491035 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Make addIdentifierQuotes part of IDatabase

https://gerrit.wikimedia.org/r/491035

Aklapper renamed this task from Suppress or fix non-doubke escape phan-taint-check warnings for MW core to Suppress or fix non-double escape phan-taint-check warnings for MW core.Feb 17 2019, 11:07 AM

Change 491036 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Make Special:Version escape extension names that aren't links

https://gerrit.wikimedia.org/r/491036

Change 491037 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Do not use raw html for Special:ProtectedPages drop-down messages

https://gerrit.wikimedia.org/r/491037

Change 491038 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Use htmlspecialchars() not htmlentities in xml export for validity

https://gerrit.wikimedia.org/r/491038

Change 491039 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Various fixes to Block.php to make phan-taint-check happy

https://gerrit.wikimedia.org/r/491039

Change 491040 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Various fixes to make phan-taint-check happier

https://gerrit.wikimedia.org/r/491040

Change 491041 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Various fixes to make phan-taint-check happier

https://gerrit.wikimedia.org/r/491041

Change 491042 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Various fixes for phan-taint-check

https://gerrit.wikimedia.org/r/491042

Change 491043 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Various fixes for phan-taint-check

https://gerrit.wikimedia.org/r/491043

Change 462839 merged by jenkins-bot:
[mediawiki/core@master] Avoid rawParams() in Special:Emailuser

https://gerrit.wikimedia.org/r/462839

Change 491037 merged by jenkins-bot:
[mediawiki/core@master] Do not use raw html for Special:ProtectedPages drop-down messages

https://gerrit.wikimedia.org/r/491037

Change 491042 merged by jenkins-bot:
[mediawiki/core@master] Various fixes for phan-taint-check

https://gerrit.wikimedia.org/r/491042

Change 491041 merged by jenkins-bot:
[mediawiki/core@master] Various fixes to make phan-taint-check happier

https://gerrit.wikimedia.org/r/491041

Change 491038 merged by jenkins-bot:
[mediawiki/core@master] Use htmlspecialchars() not htmlentities in xml export for validity

https://gerrit.wikimedia.org/r/491038

Change 491043 merged by jenkins-bot:
[mediawiki/core@master] Various fixes for phan-taint-check

https://gerrit.wikimedia.org/r/491043

Change 491040 merged by jenkins-bot:
[mediawiki/core@master] Various fixes to make phan-taint-check happier

https://gerrit.wikimedia.org/r/491040

Change 491035 merged by jenkins-bot:
[mediawiki/core@master] Make addIdentifierQuotes part of IDatabase

https://gerrit.wikimedia.org/r/491035

Change 491036 had a related patch set uploaded (by Krinkle; owner: Brian Wolff):
[mediawiki/core@master] Make Special:Version escape extension names that aren't links

https://gerrit.wikimedia.org/r/491036

Change 491036 merged by jenkins-bot:
[mediawiki/core@master] Make Special:Version escape extension names that aren't links

https://gerrit.wikimedia.org/r/491036

Krinkle moved this task from Inbox to Checkers on the MediaWiki-Core-Testing board.Apr 8 2019, 6:02 PM
Daimona added a subscriber: Daimona.EditedMay 15 2019, 5:22 PM

I checked with 2.x, and we have 64 DoubleEscaped of a total of 512 warnings, so they're not really a problem. I'll sample a few warnings and check how many false positives I got. If there are too many, it may be worth fixing taint-check first (if the fix is easy), then start working on core as soon as a future version (not 2.0) is released.

EDIT: And apparently some of them are false positives. I'll check how we can fix those. ATM I cannot compare the results with seccheck master due to system incompatibility, so I'm wondering, is there an error count available for taint-check master?

Daimona added a comment.EditedMay 19 2019, 11:48 AM

I checked with 2.x, and we have 64 DoubleEscaped of a total of 512 warnings

After having fixed some other regressions, running https://gerrit.wikimedia.org/r/#/c/mediawiki/tools/phan/SecurityCheckPlugin/+/507619/ on core yields 218 DoubleEscaped warnings and 249 total warnings. I'll look into the remaining issues.

sbassett changed the task status from Open to Stalled.Jun 26 2019, 7:21 PM
sbassett triaged this task as Medium priority.
sbassett added a subscriber: sbassett.

@Daimona - with r/507619 being merged, do we need to keep this task open? If there are remaining issues, do we want to break those out into other tasks?

@sbassett Great question! I think we need the final error count with seccheck 2.x. Individual tasks will probably be the right choice once we get a limited amount of different errors.

Change 522419 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/core@master] [WIP] Add phan-taint-check-plugin

https://gerrit.wikimedia.org/r/522419

Daimona changed the task status from Stalled to Open.Jul 12 2019, 11:50 AM

Let's see how many things we have to fix, and whether to open separate tasks.

Daimona added a comment.EditedJul 15 2019, 11:20 AM

Current warnings list is here:

1<?xml version="1.0" encoding="ISO-8859-15"?>
2<checkstyle version="6.5">
3 <file name="includes/CategoryViewer.php">
4 <error line="184" severity="warning" message="Calling method \CategoryViewer::generateLink() in \CategoryViewer::addSubcategoryObject that outputs using tainted argument $[arg #4]. (Caused by: includes/CategoryViewer.php +203)" source="SecurityCheck-DoubleEscaped"/>
5 <error line="416" severity="warning" message="Calling method \CategoryViewer::formatList() in \CategoryViewer::getSubcategorySection that outputs using tainted argument $[arg #2]. (Caused by: includes/CategoryViewer.php +534) (Caused by: includes/CategoryViewer.php +191; includes/CategoryViewer.php +275)" source="SecurityCheck-DoubleEscaped"/>
6 <error line="446" severity="warning" message="Calling method \CategoryViewer::formatList() in \CategoryViewer::getPagesSection that outputs using tainted argument $[arg #2]. (Caused by: includes/CategoryViewer.php +534) (Caused by: includes/CategoryViewer.php +268; includes/CategoryViewer.php +279)" source="SecurityCheck-DoubleEscaped"/>
7 <error line="474" severity="warning" message="Calling method \CategoryViewer::formatList() in \CategoryViewer::getImageSection that outputs using tainted argument $[arg #2]. (Caused by: includes/CategoryViewer.php +534) (Caused by: includes/CategoryViewer.php +253; includes/CategoryViewer.php +283)" source="SecurityCheck-DoubleEscaped"/>
8 </file>
9 <file name="includes/Linker.php">
10 <error line="858" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/Linker.php +858)" source="SecurityCheck-DoubleEscaped"/>
11 <error line="1760" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/Linker.php +1760)" source="SecurityCheck-DoubleEscaped"/>
12 </file>
13 <file name="includes/OutputPage.php">
14 <error line="2561" severity="warning" message="Echoing expression that was not html escaped (Caused by: includes/OutputPage.php +1573; includes/OutputPage.php +1551; includes/OutputPage.php +1560; includes/OutputPage.php +1939; includes/OutputPage.php +2653; includes/OutputPage.php +3960; includes/OutputPage.php +2843; includes/OutputPage.php +2730; i...)" source="SecurityCheck-XSS"/>
15 <error line="3165" severity="warning" message="Calling method \ResourceLoader::makeConfigSetScript() in \OutputPage::getBottomScripts that outputs using tainted argument $[arg #1]. (Caused by: includes/resourceloader/ResourceLoader.php +1537) (Caused by: includes/OutputPage.php +1890)" source="SecurityCheck-DoubleEscaped"/>
16 <error line="3166" severity="warning" message="Calling method \ResourceLoader::makeConfigSetScript() in \OutputPage::getBottomScripts that outputs using tainted argument $[arg #1]. (Caused by: includes/resourceloader/ResourceLoader.php +1537) (Caused by: includes/OutputPage.php +1890)" source="SecurityCheck-DoubleEscaped"/>
17 <error line="3816" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/OutputPage.php +3812)" source="SecurityCheck-DoubleEscaped"/>
18 </file>
19 <file name="includes/Rest/ResponseFactory.php">
20 <error line="234" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/Rest/ResponseFactory.php +234)" source="SecurityCheck-DoubleEscaped"/>
21 </file>
22 <file name="includes/actions/HistoryAction.php">
23 <error line="415" severity="warning" message="Calling method \FeedItem::__construct() in \HistoryAction::feedEmpty that outputs using tainted argument $[arg #2]. (Caused by: includes/changes/FeedItem.php +145) (Caused by: Builtin-\Message::parseAsBlock; includes/language/Message.php +981)" source="SecurityCheck-DoubleEscaped"/>
24 <error line="457" severity="warning" message="Calling method \FeedItem::__construct() in \HistoryAction::feedItem that outputs using tainted argument $text. (Caused by: includes/changes/FeedItem.php +145) (Caused by: includes/actions/HistoryAction.php +436)" source="SecurityCheck-DoubleEscaped"/>
25 </file>
26 <file name="includes/actions/RawAction.php">
27 <error line="127" severity="warning" message="Calling method \HttpError::__construct() in \RawAction::onView that outputs using tainted argument $msg. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/actions/RawAction.php +126)" source="SecurityCheck-DoubleEscaped"/>
28 <error line="152" severity="warning" message="Calling method \HttpError::__construct() in \RawAction::onView that outputs using tainted argument $[arg #2]. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/GlobalFunctions.php +1270)" source="SecurityCheck-DoubleEscaped"/>
29 </file>
30 <file name="includes/api/ApiCSPReport.php">
31 <error line="188" severity="warning" message="Calling method \ApiCSPReport::error() in \ApiCSPReport::getReport that outputs using tainted argument $msg. (Caused by: includes/api/ApiCSPReport.php +252) (Caused by: includes/api/ApiCSPReport.php +184)" source="SecurityCheck-DoubleEscaped"/>
32 </file>
33 <file name="includes/api/ApiFeedContributions.php">
34 <error line="148" severity="warning" message="Calling method \FeedItem::__construct() in \ApiFeedContributions::feedItem that outputs using tainted argument $[arg #2]. (Caused by: includes/changes/FeedItem.php +145) (Caused by: includes/api/ApiFeedContributions.php +197; includes/api/ApiFeedContributions.php +177)" source="SecurityCheck-DoubleEscaped"/>
35 </file>
36 <file name="includes/api/ApiFeedWatchlist.php">
37 <error line="157" severity="warning" message="Calling method \FeedItem::__construct() in \ApiFeedWatchlist::execute that outputs using tainted argument $errorTitle. (Caused by: includes/changes/FeedItem.php +119) (Caused by: includes/api/ApiFeedWatchlist.php +155)" source="SecurityCheck-DoubleEscaped"/>
38 <error line="164" severity="warning" message="Calling method \FeedItem::__construct() in \ApiFeedWatchlist::execute that outputs using tainted argument $errorTitle. (Caused by: includes/changes/FeedItem.php +119) (Caused by: includes/api/ApiFeedWatchlist.php +162)" source="SecurityCheck-DoubleEscaped"/>
39 </file>
40 <file name="includes/api/ApiFormatJson.php">
41 <error line="112" severity="warning" message="Calling method \ApiFormatJson::printText() in \ApiFormatJson::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/api/ApiFormatJson.php +112; includes/api/ApiFormatJson.php +109)" source="SecurityCheck-XSS"/>
42 </file>
43 <file name="includes/api/ApiHelp.php">
44 <error line="293" severity="warning" message="Calling method \Html::element() in \ApiHelp::getHelpInternal that outputs using tainted argument $headerContent. (Caused by: Builtin-\Html::element) (Caused by: includes/api/ApiHelp.php +269; includes/api/ApiHelp.php +293)" source="SecurityCheck-DoubleEscaped"/>
45 <error line="571" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/api/ApiHelp.php +571)" source="SecurityCheck-DoubleEscaped"/>
46 <error line="807" severity="warning" message="Calling method \Html::element() in \ApiHelp::getHelpInternal that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Html::element) (Caused by: includes/api/ApiHelp.php +317; includes/api/ApiHelp.php +808; includes/api/ApiHelp.php +807)" source="SecurityCheck-DoubleEscaped"/>
47 <error line="808" severity="warning" message="Calling method \Html::element() in \ApiHelp::getHelpInternal that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Html::element) (Caused by: includes/api/ApiHelp.php +317; includes/api/ApiHelp.php +808)" source="SecurityCheck-DoubleEscaped"/>
48 </file>
49 <file name="includes/api/ApiQueryBacklinks.php">
50 <error line="450" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/api/ApiQueryBacklinks.php +173; includes/api/ApiQueryBacklinks.php +295; includes/api/ApiQueryBacklinks.php +250; includes/api/ApiQueryBacklinks.php +294; includes/api/ApiQueryBacklinks.php +287)" source="SecurityCheck-DoubleEscaped"/>
51 </file>
52 <file name="includes/block/DatabaseBlock.php">
53 <error line="321" severity="error" message="Calling method \Wikimedia\Rdbms\Database::select() in \MediaWiki\Block\DatabaseBlock::newLoad that outputs using tainted argument $conds. (Caused by: Builtin-\Wikimedia\Rdbms\Database::select) (Caused by: includes/block/DatabaseBlock.php +299; includes/block/DatabaseBlock.php +295; includes/block/DatabaseBlock.php +303; includes/block/DatabaseBlock.php +305; includes/block/DatabaseBlock.php +310; includes/block/DatabaseBlock.php +312)" source="SecurityCheck-SQLInjection"/>
54 </file>
55 <file name="includes/changes/ChangesFeed.php">
56 <error line="115" severity="warning" message="Calling method \FeedItem::__construct() in \ChangesFeed::buildItems that outputs using tainted argument $[arg #5]. (Caused by: includes/changes/FeedItem.php +182) (Caused by: Builtin-\Message::escaped; includes/language/Message.php +994)" source="SecurityCheck-DoubleEscaped"/>
57 </file>
58 <file name="includes/changes/EnhancedChangesList.php">
59 <error line="756" severity="warning" message="Calling method \Html::rawElement() in \EnhancedChangesList::recentChangesBlockLine that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Html::rawElement) (Caused by: includes/changes/EnhancedChangesList.php +755)" source="SecurityCheck-DoubleEscaped"/>
60 </file>
61 <file name="includes/changes/FeedItem.php">
62 <error line="119" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getTitle that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/changes/FeedItem.php +119; includes/api/ApiFeedContributions.php +148; includes/changes/ChangesFeed.php +115; includes/api/ApiFeedWatchlist.php +157)" source="SecurityCheck-DoubleEscaped"/>
63 <error line="119" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getTitle that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/changes/FeedItem.php +119; includes/api/ApiFeedContributions.php +148; includes/changes/ChangesFeed.php +115; includes/api/ApiFeedWatchlist.php +157; includes/api/ApiFeedWatchlist.php +164; includes/actions/HistoryAction.php +457)" source="SecurityCheck-DoubleEscaped"/>
64 <error line="119" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getTitle that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/changes/FeedItem.php +119; includes/api/ApiFeedContributions.php +148; includes/changes/ChangesFeed.php +115; includes/api/ApiFeedWatchlist.php +157; includes/api/ApiFeedWatchlist.php +164; includes/actions/HistoryAction.php +457; includes/...)" source="SecurityCheck-DoubleEscaped"/>
65 <error line="145" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getDescription that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/api/ApiFeedContributions.php +148; includes/changes/FeedItem.php +145)" source="SecurityCheck-DoubleEscaped"/>
66 <error line="145" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getDescription that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/api/ApiFeedContributions.php +148; includes/changes/FeedItem.php +145; includes/actions/HistoryAction.php +457)" source="SecurityCheck-DoubleEscaped"/>
67 <error line="145" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getDescription that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/api/ApiFeedContributions.php +148; includes/changes/FeedItem.php +145; includes/actions/HistoryAction.php +457; includes/actions/HistoryAction.php +415)" source="SecurityCheck-DoubleEscaped"/>
68 <error line="145" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getDescription that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/api/ApiFeedContributions.php +148; includes/changes/FeedItem.php +145; includes/actions/HistoryAction.php +457; includes/actions/HistoryAction.php +415; includes/specials/SpecialNewpages.php +490)" source="SecurityCheck-DoubleEscaped"/>
69 <error line="182" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getAuthor that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/changes/FeedItem.php +182; includes/changes/ChangesFeed.php +115)" source="SecurityCheck-DoubleEscaped"/>
70 <error line="182" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getAuthor that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/changes/FeedItem.php +182; includes/changes/ChangesFeed.php +115; includes/specials/SpecialNewpages.php +490)" source="SecurityCheck-DoubleEscaped"/>
71 </file>
72 <file name="includes/exception/HttpError.php">
73 <error line="122" severity="warning" message="Calling method \htmlspecialchars() in \HttpError::getHTML that outputs using tainted argument $[arg #1]. (Caused by: includes/exception/HttpError.php +122; includes/actions/RawAction.php +127)" source="SecurityCheck-DoubleEscaped"/>
74 <error line="122" severity="warning" message="Calling method \htmlspecialchars() in \HttpError::getHTML that outputs using tainted argument $[arg #1]. (Caused by: includes/exception/HttpError.php +122; includes/actions/RawAction.php +127; includes/actions/RawAction.php +152; includes/linkeddata/PageDataRequestHandler.php +75; includes/linkeddata/PageDataRequestHandler.php +92; includes/linkeddata/PageDataRequ...)" source="SecurityCheck-DoubleEscaped"/>
75 </file>
76 <file name="includes/htmlform/fields/HTMLFormFieldCloner.php">
77 <error line="391" severity="warning" message="Calling method \Html::rawElement() in \HTMLFormFieldCloner::getInputHTML that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Html::rawElement) (Caused by: includes/htmlform/fields/HTMLFormFieldCloner.php +390)" source="SecurityCheck-DoubleEscaped"/>
78 <error line="471" severity="warning" message="Calling method \Html::rawElement() in \HTMLFormFieldCloner::getInputOOUI that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Html::rawElement) (Caused by: includes/htmlform/fields/HTMLFormFieldCloner.php +470)" source="SecurityCheck-DoubleEscaped"/>
79 </file>
80 <file name="includes/installer/DatabaseInstaller.php">
81 <error line="643" severity="warning" message="Calling method \DatabaseInstaller::getPasswordBox() in \DatabaseInstaller::getInstallUserBox that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +545) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
82 <error line="643" severity="warning" message="Calling method \DatabaseInstaller::getTextBox() in \DatabaseInstaller::getInstallUserBox that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +518) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
83 <error line="645" severity="warning" message="Calling method \DatabaseInstaller::getTextBox() in \DatabaseInstaller::getInstallUserBox that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +518) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
84 <error line="651" severity="warning" message="Calling method \DatabaseInstaller::getPasswordBox() in \DatabaseInstaller::getInstallUserBox that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +545) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
85 </file>
86 <file name="includes/installer/DatabaseUpdater.php">
87 <error line="227" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/installer/DatabaseUpdater.php +227)" source="SecurityCheck-DoubleEscaped"/>
88 </file>
89 <file name="includes/installer/MssqlInstaller.php">
90 <error line="92" severity="warning" message="Calling method \MssqlInstaller::getPasswordBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
91 <error line="92" severity="warning" message="Calling method \MssqlInstaller::getRadioSet() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
92 <error line="92" severity="warning" message="Calling method \MssqlInstaller::getTextBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
93 <error line="100" severity="warning" message="Calling method \MssqlInstaller::getTextBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
94 <error line="102" severity="warning" message="Calling method \MssqlInstaller::getTextBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
95 <error line="104" severity="warning" message="Calling method \MssqlInstaller::getTextBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
96 <error line="109" severity="warning" message="Calling method \MssqlInstaller::getRadioSet() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
97 <error line="127" severity="warning" message="Calling method \MssqlInstaller::getTextBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
98 <error line="133" severity="warning" message="Calling method \MssqlInstaller::getPasswordBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
99 <error line="325" severity="error" message="Calling method \Wikimedia\Rdbms\Database::query() in \MssqlInstaller::canCreateAccounts that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query)" source="SecurityCheck-SQLInjection"/>
100 <error line="368" severity="warning" message="Calling method \MssqlInstaller::getRadioSet() in \MssqlInstaller::getSettingsForm that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
101 <error line="375" severity="warning" message="Calling method \MssqlInstaller::getRadioSet() in \MssqlInstaller::getSettingsForm that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
102 </file>
103 <file name="includes/installer/MysqlInstaller.php">
104 <error line="82" severity="warning" message="Calling method \MysqlInstaller::getTextBox() in \MysqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
105 <error line="90" severity="warning" message="Calling method \MysqlInstaller::getTextBox() in \MysqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
106 <error line="92" severity="warning" message="Calling method \MysqlInstaller::getTextBox() in \MysqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
107 </file>
108 <file name="includes/installer/OracleInstaller.php">
109 <error line="67" severity="warning" message="Calling method \OracleInstaller::getTextBox() in \OracleInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
110 <error line="77" severity="warning" message="Calling method \OracleInstaller::getTextBox() in \OracleInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
111 </file>
112 <file name="includes/installer/PostgresInstaller.php">
113 <error line="64" severity="warning" message="Calling method \PostgresInstaller::getTextBox() in \PostgresInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
114 <error line="73" severity="warning" message="Calling method \PostgresInstaller::getTextBox() in \PostgresInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
115 <error line="79" severity="warning" message="Calling method \PostgresInstaller::getTextBox() in \PostgresInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
116 </file>
117 <file name="includes/installer/PostgresUpdater.php">
118 <error line="1071" severity="error" message="Calling method \Wikimedia\Rdbms\DatabasePostgres::query() in \PostgresUpdater::dropFkey that outputs using tainted argument $command. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query) (Caused by: includes/installer/PostgresUpdater.php +1070; includes/installer/PostgresUpdater.php +1066; includes/installer/PostgresUpdater.php +1062; includes/installer/PostgresUpdater.php +1068)" source="SecurityCheck-SQLInjection"/>
119 <error line="1093" severity="error" message="Calling method \Wikimedia\Rdbms\DatabasePostgres::query() in \PostgresUpdater::changeFkeyDeferrable that outputs using tainted argument $command. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query) (Caused by: includes/installer/PostgresUpdater.php +1092; includes/installer/PostgresUpdater.php +1089; includes/installer/PostgresUpdater.php +1080; includes/installer/PostgresUpdater.php +1088)" source="SecurityCheck-SQLInjection"/>
120 </file>
121 <file name="includes/installer/SqliteInstaller.php">
122 <error line="88" severity="warning" message="Calling method \SqliteInstaller::getTextBox() in \SqliteInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +518) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
123 <error line="93" severity="warning" message="Calling method \SqliteInstaller::getTextBox() in \SqliteInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +518) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
124 </file>
125 <file name="includes/installer/WebInstallerName.php">
126 <error line="58" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
127 <error line="58" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692; includes/installer/WebInstallerName.php +56)" source="SecurityCheck-DoubleEscaped"/>
128 <error line="58" severity="warning" message="Calling method \WebInstaller::getRadioSet() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +970) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
129 <error line="58" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
130 <error line="59" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
131 <error line="59" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692; includes/installer/WebInstallerName.php +56)" source="SecurityCheck-DoubleEscaped"/>
132 <error line="59" severity="warning" message="Calling method \WebInstaller::getRadioSet() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +970) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
133 <error line="59" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
134 <error line="67" severity="warning" message="Calling method \WebInstaller::getRadioSet() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +970) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
135 <error line="82" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
136 <error line="95" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
137 <error line="103" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
138 <error line="108" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692; includes/installer/WebInstallerName.php +56)" source="SecurityCheck-DoubleEscaped"/>
139 </file>
140 <file name="includes/installer/WebInstallerOptions.php">
141 <error line="127" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstallerOptions.php +125; includes/installer/WebInstallerOptions.php +121) (1092280 &amp;lt;- 567976)" source="SecurityCheckMulti"/>
142 <error line="128" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstallerOptions.php +125; includes/installer/WebInstallerOptions.php +121) (1092280 &amp;lt;- 567976)" source="SecurityCheckMulti"/>
143 <error line="129" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstallerOptions.php +125; includes/installer/WebInstallerOptions.php +121) (1092280 &amp;lt;- 567976)" source="SecurityCheckMulti"/>
144 <error line="145" severity="warning" message="Calling method \WebInstallerOptions::addHTML() in \WebInstallerOptions::execute that outputs using tainted argument $skinHtml. (Caused by: includes/installer/WebInstallerOptions.php +108; includes/installer/WebInstallerOptions.php +127; includes/installer/WebInstallerOptions.php +114; includes/installer/WebInstallerOptions.php +138; includes/installer/WebInstallerOptions.php +143; incl...)" source="SecurityCheck-XSS"/>
145 <error line="246" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
146 <error line="246" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
147 <error line="248" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
148 <error line="248" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
149 <error line="249" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
150 <error line="256" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
151 <error line="263" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
152 <error line="270" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
153 <error line="271" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
154 <error line="298" severity="warning" message="Calling method \WebInstaller::getTextArea() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +852) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
155 <error line="300" severity="warning" message="Calling method \WebInstaller::getTextArea() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +852) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
156 <error line="314" severity="warning" message="Calling method \WebInstaller::getTextArea() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +852) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
157 </file>
158 <file name="includes/jobqueue/utils/BacklinkJobUtils.php">
159 <error line="102" severity="error" message="Calling method \BacklinkCache::partition() in \BacklinkJobUtils::partitionBacklinkJob that outputs using tainted argument $[arg #1]. (Caused by: includes/cache/BacklinkCache.php +441) (Caused by: includes/jobqueue/utils/BacklinkJobUtils.php +90)" source="SecurityCheck-SQLInjection"/>
160 <error line="112" severity="error" message="Calling method \BacklinkCache::getLinks() in \BacklinkJobUtils::partitionBacklinkJob that outputs using tainted argument $[arg #1]. (Caused by: includes/cache/BacklinkCache.php +172) (Caused by: includes/jobqueue/utils/BacklinkJobUtils.php +90)" source="SecurityCheck-SQLInjection"/>
161 </file>
162 <file name="includes/language/Message.php">
163 <error line="1396" severity="warning" message="Calling method \Message::extractParam() in \Message::formatListParam that outputs using tainted argument $[arg #1]. (Caused by: includes/language/Message.php +1204)" source="SecurityCheck-DoubleEscaped"/>
164 <error line="1396" severity="warning" message="Calling method \Message::extractParam() in \Message::formatListParam that outputs using tainted argument $[arg #1]. (Caused by: includes/language/Message.php +1204; includes/language/Message.php +1245)" source="SecurityCheck-DoubleEscaped"/>
165 </file>
166 <file name="includes/libs/rdbms/database/DatabasePostgres.php">
167 <error line="874" severity="error" message="Calling method \Wikimedia\Rdbms\DatabasePostgres::query() in \Wikimedia\Rdbms\DatabasePostgres::resetSequenceForTable that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query)" source="SecurityCheck-SQLInjection"/>
168 </file>
169 <file name="includes/linkeddata/PageDataRequestHandler.php">
170 <error line="75" severity="warning" message="Calling method \HttpError::__construct() in \PageDataRequestHandler::handleRequest that outputs using tainted argument $[arg #2]. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/GlobalFunctions.php +1270)" source="SecurityCheck-DoubleEscaped"/>
171 <error line="92" severity="warning" message="Calling method \HttpError::__construct() in \PageDataRequestHandler::handleRequest that outputs using tainted argument $[arg #2]. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/GlobalFunctions.php +1270; includes/linkeddata/PageDataRequestHandler.php +84)" source="SecurityCheck-DoubleEscaped"/>
172 <error line="98" severity="warning" message="Calling method \HttpError::__construct() in \PageDataRequestHandler::handleRequest that outputs using tainted argument $[arg #2]. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/GlobalFunctions.php +1270; includes/linkeddata/PageDataRequestHandler.php +84; includes/linkeddata/PageDataRequestHandler.php +96)" source="SecurityCheck-DoubleEscaped"/>
173 <error line="147" severity="warning" message="Calling method \HttpError::__construct() in \PageDataRequestHandler::httpContentNegotiation that outputs using tainted argument $msg. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/linkeddata/PageDataRequestHandler.php +146)" source="SecurityCheck-DoubleEscaped"/>
174 </file>
175 <file name="includes/logging/BlockLogFormatter.php">
176 <error line="74" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/logging/BlockLogFormatter.php +32; includes/logging/BlockLogFormatter.php +59)" source="SecurityCheck-DoubleEscaped"/>
177 </file>
178 <file name="includes/media/ExifBitmapHandler.php">
179 <error line="66" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/media/ExifBitmapHandler.php +44; includes/media/ExifBitmapHandler.php +58; includes/media/ExifBitmapHandler.php +67; includes/media/ExifBitmapHandler.php +66) (1049600 &amp;lt;- 567976)" source="SecurityCheckMulti"/>
180 </file>
181 <file name="includes/media/FormatMetadata.php">
182 <error line="164" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/media/FormatMetadata.php +164)" source="SecurityCheck-DoubleEscaped"/>
183 <error line="941" severity="warning" message="Calling method \htmlspecialchars() in \FormatMetadata::makeFormattedData that outputs using tainted argument $val. (Caused by: includes/media/FormatMetadata.php +168; includes/media/FormatMetadata.php +183; includes/media/FormatMetadata.php +205; includes/media/FormatMetadata.php +223; includes/media/FormatMetadata.php +235; includes/media/FormatMetadata.php +248; includes/...)" source="SecurityCheck-DoubleEscaped"/>
184 <error line="952" severity="warning" message="Calling method \htmlspecialchars() in \FormatMetadata::makeFormattedData that outputs using tainted argument $val. (Caused by: includes/media/FormatMetadata.php +168; includes/media/FormatMetadata.php +183; includes/media/FormatMetadata.php +205; includes/media/FormatMetadata.php +223; includes/media/FormatMetadata.php +235; includes/media/FormatMetadata.php +248; includes/...)" source="SecurityCheck-DoubleEscaped"/>
185 <error line="974" severity="warning" message="Calling method \htmlspecialchars() in \FormatMetadata::makeFormattedData that outputs using tainted argument $[arg #1]. (Caused by: includes/media/FormatMetadata.php +168; includes/media/FormatMetadata.php +183; includes/media/FormatMetadata.php +205; includes/media/FormatMetadata.php +223; includes/media/FormatMetadata.php +235; includes/media/FormatMetadata.php +248; includes/...)" source="SecurityCheck-DoubleEscaped"/>
186 </file>
187 <file name="includes/page/ImagePage.php">
188 <error line="165" severity="warning" message="Calling method \OutputPage::addHTML() in \ImagePage::view that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: includes/page/ImagePage.php +725; includes/page/ImagePage.php +701)" source="SecurityCheck-XSS"/>
189 </file>
190 <file name="includes/parser/PPFrame_DOM.php">
191 <error line="127" severity="warning" message="Calling method \wfEscapeWikiText() in \PPFrame_DOM::newChild that outputs using tainted argument $name. (Caused by: includes/GlobalFunctions.php +1549) (Caused by: includes/parser/PPFrame_DOM.php +125)" source="SecurityCheck-DoubleEscaped"/>
192 <error line="130" severity="warning" message="Calling method \wfEscapeWikiText() in \PPFrame_DOM::newChild that outputs using tainted argument $name. (Caused by: includes/GlobalFunctions.php +1549) (Caused by: includes/parser/PPFrame_DOM.php +125)" source="SecurityCheck-DoubleEscaped"/>
193 </file>
194 <file name="includes/parser/PPFrame_Hash.php">
195 <error line="119" severity="warning" message="Calling method \wfEscapeWikiText() in \PPFrame_Hash::newChild that outputs using tainted argument $name. (Caused by: includes/GlobalFunctions.php +1549) (Caused by: includes/parser/PPFrame_Hash.php +117)" source="SecurityCheck-DoubleEscaped"/>
196 <error line="122" severity="warning" message="Calling method \wfEscapeWikiText() in \PPFrame_Hash::newChild that outputs using tainted argument $name. (Caused by: includes/GlobalFunctions.php +1549) (Caused by: includes/parser/PPFrame_Hash.php +117)" source="SecurityCheck-DoubleEscaped"/>
197 </file>
198 <file name="includes/parser/Parser.php">
199 <error line="555" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +555)" source="SecurityCheck-DoubleEscaped"/>
200 <error line="762" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +762)" source="SecurityCheck-DoubleEscaped"/>
201 <error line="1428" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +1428)" source="SecurityCheck-DoubleEscaped"/>
202 <error line="1442" severity="warning" message="Calling method \Parser::doTableStuff() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1449) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442)" source="SecurityCheck-DoubleEscaped"/>
203 <error line="1442" severity="warning" message="Calling method \Parser::doTableStuff() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1449) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442)" source="SecurityCheck-DoubleEscaped"/>
204 <error line="1442" severity="warning" message="Calling method \Parser::doTableStuff() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1449) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442)" source="SecurityCheck-DoubleEscaped"/>
205 <error line="1442" severity="warning" message="Calling method \Parser::doTableStuff() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1449) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442)" source="SecurityCheck-DoubleEscaped"/>
206 <error line="1449" severity="warning" message="Calling method \Parser::replaceInternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2239) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
207 <error line="1449" severity="warning" message="Calling method \Parser::replaceInternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2239) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449)" source="SecurityCheck-DoubleEscaped"/>
208 <error line="1449" severity="warning" message="Calling method \Parser::replaceInternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2239) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449)" source="SecurityCheck-DoubleEscaped"/>
209 <error line="1449" severity="warning" message="Calling method \Parser::replaceInternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2239) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449)" source="SecurityCheck-DoubleEscaped"/>
210 <error line="1449" severity="warning" message="Calling method \Parser::replaceInternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2239) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449)" source="SecurityCheck-DoubleEscaped"/>
211 <error line="1451" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
212 <error line="1451" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
213 <error line="1451" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449; includes/parser/Parser.php +1451)" source="SecurityCheck-DoubleEscaped"/>
214 <error line="1451" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449; includes/parser/Parser.php +1451)" source="SecurityCheck-DoubleEscaped"/>
215 <error line="1451" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449; includes/parser/Parser.php +1451)" source="SecurityCheck-DoubleEscaped"/>
216 <error line="1996" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +1994)" source="SecurityCheck-DoubleEscaped"/>
217 <error line="2018" severity="warning" message="Calling method \LanguageConverter::markNoConversion() in \Parser::replaceExternalLinks that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1728) (Caused by: includes/parser/Parser.php +1994; includes/parser/Parser.php +1996; includes/parser/Parser.php +2018)" source="SecurityCheck-DoubleEscaped"/>
218 <error line="2027" severity="warning" message="Calling method \Linker::makeExternalLink() in \Parser::replaceExternalLinks that outputs using tainted argument $text. (Caused by: includes/Linker.php +844) (Caused by: includes/parser/Parser.php +1994; includes/parser/Parser.php +1996; includes/parser/Parser.php +2018; includes/parser/Parser.php +2027)" source="SecurityCheck-DoubleEscaped"/>
219 <error line="2027" severity="warning" message="Calling method \Linker::makeExternalLink() in \Parser::replaceExternalLinks that outputs using tainted argument $text. (Caused by: includes/Linker.php +844) (Caused by: includes/parser/Parser.php +1994; includes/parser/Parser.php +1996; includes/parser/Parser.php +2027)" source="SecurityCheck-DoubleEscaped"/>
220 <error line="2238" severity="warning" message="Calling method \Parser::replaceInternalLinks2() in \Parser::replaceInternalLinks that outputs using tainted argument $s. (Caused by: includes/parser/Parser.php +2482) (Caused by: includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
221 <error line="2369" severity="warning" message="Calling method \Parser::maybeDoSubpageLink() in \Parser::replaceInternalLinks2 that outputs using tainted argument $text. (Caused by: includes/Linker.php +1384) (Caused by: includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
222 <error line="2421" severity="warning" message="Calling method \Parser::replaceInternalLinks2() in \Parser::replaceInternalLinks2 that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2482) (Caused by: includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
223 <error line="2482" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +2482)" source="SecurityCheck-DoubleEscaped"/>
224 <error line="2482" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
225 <error line="2482" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +3338; includes/parser/Parser.php +3338; includes/parser/Parser.php +3338; includes/parser/Parser.php +3338; includes/parser/Parser.php +2369; includes/parser/Parser.php +3338; includes/parser/Parser.php +3338; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
226 <error line="2482" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::replaceInternalLinks2 that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
227 <error line="2483" severity="warning" message="Calling method \Parser::replaceInternalLinks2() in \Parser::replaceInternalLinks2 that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2482) (Caused by: includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
228 <error line="3492" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +3489; includes/parser/Parser.php +3492)" source="SecurityCheck-DoubleEscaped"/>
229 <error line="3507" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +3489; includes/parser/Parser.php +3492; includes/parser/Parser.php +3500)" source="SecurityCheck-XSS"/>
230 <error line="6187" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +6187)" source="SecurityCheck-DoubleEscaped"/>
231 </file>
232 <file name="includes/parser/Preprocessor_DOM.php">
233 <error line="99" severity="warning" message="Calling method \UtfNormal\Validator::cleanUp() in \Preprocessor_DOM::newPartNodeArray that outputs using tainted argument $xml. (Caused by: includes/media/DjVuImage.php +302) (Caused by: includes/parser/Preprocessor_DOM.php +83; includes/parser/Preprocessor_DOM.php +86; includes/parser/Preprocessor_DOM.php +91; includes/parser/Preprocessor_DOM.php +99)" source="SecurityCheck-DoubleEscaped"/>
234 <error line="176" severity="warning" message="Calling method \UtfNormal\Validator::cleanUp() in \Preprocessor_DOM::preprocessToObj that outputs using tainted argument $xml. (Caused by: includes/media/DjVuImage.php +302) (Caused by: includes/parser/Preprocessor_DOM.php +155)" source="SecurityCheck-DoubleEscaped"/>
235 </file>
236 <file name="includes/parser/Sanitizer.php">
237 <error line="1438" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Sanitizer.php +1438)" source="SecurityCheck-DoubleEscaped"/>
238 </file>
239 <file name="includes/preferences/DefaultPreferencesFactory.php">
240 <error line="351" severity="warning" message="HTMLForm label key escapes its input (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
241 <error line="707" severity="warning" message="HTMLForm option label needs escaping (Maybe false positive as could not determine if it was key or value that is unescaped) (Caused by: includes/preferences/DefaultPreferencesFactory.php +704)" source="SecurityCheck-XSS"/>
242 </file>
243 <file name="includes/specials/SpecialExpandTemplates.php">
244 <error line="130" severity="warning" message="Calling method \SpecialExpandTemplates::makeOutput() in \SpecialExpandTemplates::execute that outputs using tainted argument $rawhtml. (Caused by: includes/specials/SpecialExpandTemplates.php +227) (Caused by: includes/specials/SpecialExpandTemplates.php +128)" source="SecurityCheck-DoubleEscaped"/>
245 </file>
246 <file name="includes/specials/SpecialNewpages.php">
247 <error line="490" severity="warning" message="Calling method \FeedItem::__construct() in \SpecialNewpages::feedItem that outputs using tainted argument $[arg #2]. (Caused by: includes/changes/FeedItem.php +145) (Caused by: includes/specials/SpecialNewpages.php +519)" source="SecurityCheck-DoubleEscaped"/>
248 </file>
249 <file name="includes/specials/SpecialRecentChanges.php">
250 <error line="476" severity="warning" message="Calling method \Xml::tags() in \SpecialRecentChanges::doHeader that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Xml::tags) (Caused by: includes/specials/SpecialRecentChanges.php +469)" source="SecurityCheck-DoubleEscaped"/>
251 <error line="819" severity="warning" message="Calling method \SpecialRecentChanges::makeOptionsLink() in \SpecialRecentChanges::optionsPanel that outputs using tainted argument $[arg #1]. (Caused by: includes/specials/SpecialRecentChanges.php +785)" source="SecurityCheck-DoubleEscaped"/>
252 <error line="916" severity="warning" message="Calling method \SpecialRecentChanges::makeOptionsLink() in \SpecialRecentChanges::optionsPanel that outputs using tainted argument $[arg #1]. (Caused by: includes/specials/SpecialRecentChanges.php +785) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
253 <error line="919" severity="warning" message="Calling method \SpecialRecentChanges::makeOptionsLink() in \SpecialRecentChanges::optionsPanel that outputs using tainted argument $[arg #1]. (Caused by: includes/specials/SpecialRecentChanges.php +785) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
254 </file>
255 <file name="includes/specials/SpecialStatistics.php">
256 <error line="277" severity="warning" message="Calling method \Language::formatNum() in \SpecialStatistics::getOtherStats that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstallerOptions.php +333)" source="SecurityCheck-DoubleEscaped"/>
257 <error line="279" severity="warning" message="Calling method \Language::formatNum() in \SpecialStatistics::getOtherStats that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstallerOptions.php +333)" source="SecurityCheck-DoubleEscaped"/>
258 </file>
259 <file name="includes/specials/SpecialVersion.php">
260 <error line="100" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/specials/SpecialVersion.php +100)" source="SecurityCheck-DoubleEscaped"/>
261 <error line="124" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/specials/SpecialVersion.php +124)" source="SecurityCheck-DoubleEscaped"/>
262 <error line="578" severity="warning" message="Calling method \Linker::makeExternalLink() in \SpecialVersion::getParserTags that outputs using tainted argument $[arg #2]. (Caused by: includes/Linker.php +844) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
263 <error line="584" severity="warning" message="Calling method \Linker::makeExternalLink() in \SpecialVersion::getParserTags that outputs using tainted argument $[arg #2]. (Caused by: includes/Linker.php +844) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
264 <error line="593" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/specials/SpecialVersion.php +593)" source="SecurityCheck-DoubleEscaped"/>
265 <error line="619" severity="warning" message="Calling method \Linker::makeExternalLink() in \SpecialVersion::getParserFunctionHooks that outputs using tainted argument $[arg #2]. (Caused by: includes/Linker.php +844) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
266 <error line="625" severity="warning" message="Calling method \Linker::makeExternalLink() in \SpecialVersion::getParserFunctionHooks that outputs using tainted argument $[arg #2]. (Caused by: includes/Linker.php +844) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
267 <error line="776" severity="warning" message="Calling method \Linker::makeExternalLink() in \SpecialVersion::getCreditsForExtension that outputs using tainted argument $[arg #2]. (Caused by: includes/Linker.php +844)" source="SecurityCheck-DoubleEscaped"/>
268 </file>
269 <file name="includes/specials/SpecialWhatLinksHere.php">
270 <error line="460" severity="warning" message="Calling method \SpecialWhatLinksHere::makeSelfLink() in \SpecialWhatLinksHere::getPrevNext that outputs using tainted argument $prev. (Caused by: includes/specials/SpecialWhatLinksHere.php +442) (Caused by: includes/specials/SpecialWhatLinksHere.php +452)" source="SecurityCheck-DoubleEscaped"/>
271 <error line="464" severity="warning" message="Calling method \SpecialWhatLinksHere::makeSelfLink() in \SpecialWhatLinksHere::getPrevNext that outputs using tainted argument $next. (Caused by: includes/specials/SpecialWhatLinksHere.php +442) (Caused by: includes/specials/SpecialWhatLinksHere.php +453)" source="SecurityCheck-DoubleEscaped"/>
272 <error line="472" severity="warning" message="Calling method \SpecialWhatLinksHere::makeSelfLink() in \SpecialWhatLinksHere::getPrevNext that outputs using tainted argument $prettyLimit. (Caused by: includes/specials/SpecialWhatLinksHere.php +442) (Caused by: includes/specials/SpecialWhatLinksHere.php +470)" source="SecurityCheck-DoubleEscaped"/>
273 <error line="566" severity="warning" message="Calling method \SpecialWhatLinksHere::makeSelfLink() in \SpecialWhatLinksHere::getFilterPanel that outputs using tainted argument $msg. (Caused by: includes/specials/SpecialWhatLinksHere.php +442) (Caused by: includes/specials/SpecialWhatLinksHere.php +564; includes/specials/SpecialWhatLinksHere.php +547; includes/specials/SpecialWhatLinksHere.php +548)" source="SecurityCheck-DoubleEscaped"/>
274 <error line="567" severity="warning" message="Calling method \SpecialWhatLinksHere::makeSelfLink() in \SpecialWhatLinksHere::getFilterPanel that outputs using tainted argument $msg. (Caused by: includes/specials/SpecialWhatLinksHere.php +442) (Caused by: includes/specials/SpecialWhatLinksHere.php +564; includes/specials/SpecialWhatLinksHere.php +547; includes/specials/SpecialWhatLinksHere.php +548)" source="SecurityCheck-DoubleEscaped"/>
275 </file>
276 <file name="includes/specials/forms/UploadForm.php">
277 <error line="135" severity="warning" message="HTMLForm info field in raw mode needs to escape default key (Caused by: includes/specials/SpecialUpload.php +253)" source="SecurityCheck-XSS"/>
278 <error line="301" severity="warning" message="HTMLForm info field in raw mode needs to escape default key (Caused by: includes/specials/SpecialUpload.php +253)" source="SecurityCheck-XSS"/>
279 </file>
280 <file name="includes/specials/pagers/AllMessagesTablePager.php">
281 <error line="264" severity="warning" message="Calling method \MediaWiki\Linker\LinkRenderer::makeKnownLink() in \AllMessagesTablePager::formatValue that outputs using tainted argument $talkLink. (Caused by: Builtin-\MediaWiki\Linker\LinkRenderer::makeKnownLink) (Caused by: includes/specials/pagers/AllMessagesTablePager.php +253)" source="SecurityCheck-DoubleEscaped"/>
282 <error line="266" severity="warning" message="Calling method \MediaWiki\Linker\LinkRenderer::makeBrokenLink() in \AllMessagesTablePager::formatValue that outputs using tainted argument $talkLink. (Caused by: includes/linker/LinkRenderer.php +357) (Caused by: includes/specials/pagers/AllMessagesTablePager.php +253)" source="SecurityCheck-DoubleEscaped"/>
283 <error line="302" severity="warning" message="Calling method \Html::element() in \AllMessagesTablePager::formatRow that outputs using tainted argument $formatted. (Caused by: Builtin-\Html::element) (Caused by: includes/specials/pagers/AllMessagesTablePager.php +296)" source="SecurityCheck-DoubleEscaped"/>
284 </file>
285 <file name="includes/specials/pagers/UsersPager.php">
286 <error line="177" severity="warning" message="Calling method \Linker::userLink() in \UsersPager::formatRow that outputs using tainted argument $userName. (Caused by: includes/Linker.php +918) (Caused by: includes/specials/pagers/UsersPager.php +175; includes/EditPage.php +3851; includes/EditPage.php +3878; includes/user/UserRightsProxy.php +130)" source="SecurityCheck-DoubleEscaped"/>
287 </file>
288 <file name="includes/user/User.php">
289 <error line="4519" severity="warning" message="Calling method \User::sendMail() in \User::sendConfirmationMail that outputs using tainted argument $[arg #4]. (Caused by: includes/user/User.php +4544) (Caused by: includes/user/User.php +4497)" source="SecurityCheck-XSS"/>
290 <error line="4776" severity="error" message="Calling method \Wikimedia\Rdbms\Database::selectField() in \User::getEditTimestamp that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::selectField) (Caused by: includes/user/User.php +4772)" source="SecurityCheck-SQLInjection"/>
291 <error line="5047" severity="error" message="Calling method \Wikimedia\Rdbms\IDatabase::selectField() in \User::initEditCountInternal that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IDatabase::selectField) (Caused by: includes/user/User.php +5046)" source="SecurityCheck-SQLInjection"/>
292 </file>
293 <file name="languages/Language.php">
294 <error line="4240" severity="warning" message="Calling method \htmlspecialchars() in \Language::convertHtml that outputs using tainted argument $[arg #1]. (Caused by: languages/Language.php +4185; languages/Language.php +4185; languages/Language.php +4240)" source="SecurityCheck-DoubleEscaped"/>
295 </file>
296 <file name="maintenance/convertLinks.php">
297 <error line="221" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::query() in \ConvertLinks::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::query) (Caused by: maintenance/convertLinks.php +209; maintenance/convertLinks.php +205; maintenance/convertLinks.php +204; maintenance/convertLinks.php +158)" source="SecurityCheck-SQLInjection"/>
298 </file>
299 <file name="maintenance/populateContentTables.php">
300 <error line="219" severity="error" message="Calling method \Wikimedia\Rdbms\IDatabase::select() in \PopulateContentTables::populateTable that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IDatabase::select) (Caused by: maintenance/populateContentTables.php +218; maintenance/populateContentTables.php +217; maintenance/populateContentTables.php +201)" source="SecurityCheck-SQLInjection"/>
301 </file>
302 <file name="maintenance/refreshExternallinksIndex.php">
303 <error line="73" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::select() in \RefreshExternallinksIndex::doDBUpdates that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::select) (Caused by: maintenance/refreshExternallinksIndex.php +71; maintenance/populateContentTables.php +201; maintenance/refreshExternallinksIndex.php +59)" source="SecurityCheck-SQLInjection"/>
304 </file>
305 <file name="maintenance/storage/compressOld.php">
306 <error line="331" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::select() in \CompressOld::compressWithConcat that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::select) (Caused by: includes/Title.php +3562; includes/Title.php +3562)" source="SecurityCheck-SQLInjection"/>
307 </file>
308</checkstyle>

It has 187 warnings, of which 165 are DoubleEscaped. This is way less than T216348#5185224.

Some of those are actual issues. However, I'd like to wait for seccheck 3.0 before starting to fix them.

chasemp moved this task from Incoming to Back Orders on the Security-Team board.Dec 2 2019, 8:52 PM

Latest result with taint-check 3.0.1 (excluding roughly 120 DoubleEscaped warnings):

<checkstyle version="6.5">
  <file name="includes/OutputPage.php">
    <error line="2559" severity="warning" message="Echoing expression that was not html escaped (Caused by: includes/OutputPage.php +1611; includes/OutputPage.php +1589; includes/OutputPage.php +1598; includes/OutputPage.php +1970; includes/OutputPage.php +2559; includes/OutputPage.php +2653; includes/OutputPage.php +3981; includes/OutputPage.php +2843; i...)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/Revision/RevisionStore.php">
    <error line="2452" severity="error" message="Calling method \Wikimedia\Rdbms\DBConnRef::selectField() in \MediaWiki\Revision\RevisionStore::getRelativeRevision that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\DBConnRef::selectField)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="includes/export/WikiExporter.php">
    <error line="529" severity="warning" message="Calling method \DumpOutput::writeOpenPage() in \WikiExporter::outputPageStreamBatch that outputs using tainted argument $output. (Caused by: includes/export/DumpOutput.php +50) (Caused by: includes/export/WikiExporter.php +528)" source="SecurityCheck-XSS"/>
    <error line="532" severity="warning" message="Calling method \DumpOutput::writeRevision() in \WikiExporter::outputPageStreamBatch that outputs using tainted argument $output. (Caused by: includes/export/DumpOutput.php +65) (Caused by: includes/export/WikiExporter.php +531)" source="SecurityCheck-XSS"/>
    <error line="596" severity="warning" message="Calling method \DumpOutput::writeLogItem() in \WikiExporter::outputLogStream that outputs using tainted argument $output. (Caused by: includes/export/DumpOutput.php +73) (Caused by: includes/export/WikiExporter.php +595)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/installer/CliInstaller.php">
    <error line="233" severity="warning" message="Echoing expression that was not html escaped (Caused by: includes/installer/CliInstaller.php +253)" source="SecurityCheck-XSS"/>
    <error line="238" severity="warning" message="Echoing expression that was not html escaped (Caused by: includes/installer/CliInstaller.php +253)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/installer/PostgresUpdater.php">
    <error line="1113" severity="error" message="Calling method \Wikimedia\Rdbms\DatabasePostgres::query() in \PostgresUpdater::dropFkey that outputs using tainted argument $command. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query) (Caused by: includes/installer/PostgresUpdater.php +1112; includes/installer/PostgresUpdater.php +1108)" source="SecurityCheck-SQLInjection"/>
    <error line="1135" severity="error" message="Calling method \Wikimedia\Rdbms\DatabasePostgres::query() in \PostgresUpdater::changeFkeyDeferrable that outputs using tainted argument $command. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query) (Caused by: includes/installer/PostgresUpdater.php +1134; includes/installer/PostgresUpdater.php +1131)" source="SecurityCheck-SQLInjection"/>
    <error line="1144" severity="error" message="Calling method \Wikimedia\Rdbms\DatabasePostgres::query() in \PostgresUpdater::changeFkeyDeferrable that outputs using tainted argument $command. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query) (Caused by: includes/installer/PostgresUpdater.php +1134; includes/installer/PostgresUpdater.php +1131; includes/installer/PostgresUpdater.php +1141; includes/installer/PostgresUpdater.php +1133; includes/installer/PostgresUpdater.php +1131)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="includes/installer/WebInstallerOptions.php">
    <error line="217" severity="warning" message="Calling method \Message::rawParams() in \WebInstallerOptions::execute that outputs using tainted argument $ext. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/installer/WebInstallerOptions.php +160; includes/installer/WebInstallerOptions.php +175) (Param is raw)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/jobqueue/utils/BacklinkJobUtils.php">
    <error line="102" severity="error" message="Calling method \BacklinkCache::partition() in \BacklinkJobUtils::partitionBacklinkJob that outputs using tainted argument $[arg #1]. (Caused by: includes/cache/BacklinkCache.php +441) (Caused by: includes/jobqueue/utils/BacklinkJobUtils.php +90)" source="SecurityCheck-SQLInjection"/>
    <error line="112" severity="error" message="Calling method \BacklinkCache::getLinks() in \BacklinkJobUtils::partitionBacklinkJob that outputs using tainted argument $[arg #1]. (Caused by: includes/cache/BacklinkCache.php +172) (Caused by: includes/jobqueue/utils/BacklinkJobUtils.php +90)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="includes/libs/rdbms/database/DatabasePostgres.php">
    <error line="835" severity="error" message="Calling method \Wikimedia\Rdbms\DatabasePostgres::query() in \Wikimedia\Rdbms\DatabasePostgres::resetSequencesForTable that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query) (Caused by: includes/libs/rdbms/database/DatabasePostgres.php +831)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="includes/libs/rdbms/database/DatabaseSqlite.php">
    <error line="1026" severity="error" message="Calling method \Wikimedia\Rdbms\DatabaseSqlite::query() in \Wikimedia\Rdbms\DatabaseSqlite::duplicateTableStructure that outputs using tainted argument $sql. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query) (Caused by: includes/libs/rdbms/database/DatabaseSqlite.php +1009; includes/libs/rdbms/database/DatabaseSqlite.php +1022)" source="SecurityCheck-SQLInjection"/>
    <error line="1052" severity="error" message="Calling method \Wikimedia\Rdbms\DatabaseSqlite::query() in \Wikimedia\Rdbms\DatabaseSqlite::duplicateTableStructure that outputs using tainted argument $sql. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query) (Caused by: includes/libs/rdbms/database/DatabaseSqlite.php +1042; includes/libs/rdbms/database/DatabaseSqlite.php +1041; includes/Storage/NameTableStore.php +384; includes/libs/rdbms/database/DatabaseSqlite.php +607; includes/libs/rdbms/database/DatabaseSqlite...)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="includes/logging/LogFormatter.php">
    <error line="255" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="260" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="273" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="277" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="304" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="310" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="314" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="320" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="335" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="348" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="353" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="372" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="376" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="383" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="406" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $duration. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +400) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="406" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="410" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="421" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $duration. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +414) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="421" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="430" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="434" severity="warning" message="Calling method \Message::rawParams() in \LogFormatter::getIRCActionText that outputs using tainted argument $target. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogFormatter.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/logging/LogPage.php">
    <error line="250" severity="warning" message="Calling method \Message::rawParams() in \LogPage::actionText that outputs using tainted argument $titleLink. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/LogPage.php +247) (Param is raw)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/page/ImagePage.php">
    <error line="165" severity="warning" message="Calling method \OutputPage::addHTML() in \ImagePage::view that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: includes/page/ImagePage.php +733; includes/page/ImagePage.php +709)" source="SecurityCheck-XSS"/>
    <error line="510" severity="warning" message="Calling method \Message::rawParams() in \ImagePage::openShowImage that outputs using tainted argument $select. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/page/ImagePage.php +502) (Param is raw)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/parser/Parser.php">
    <error line="3511" severity="warning" message="Calling method \Parser::insertStripItem() in \Parser::braceSubstitution that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1230)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/preferences/DefaultPreferencesFactory.php">
    <error line="379" severity="warning" message="Calling method \Message::rawParams() in \MediaWiki\Preferences\DefaultPreferencesFactory::profilePreferences that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/preferences/DefaultPreferencesFactory.php +364; includes/preferences/DefaultPreferencesFactory.php +350; includes/preferences/DefaultPreferencesFactory.php +372) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="379" severity="warning" message="Calling method \Message::rawParams() in \MediaWiki\Preferences\DefaultPreferencesFactory::profilePreferences that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/preferences/DefaultPreferencesFactory.php +365; includes/preferences/DefaultPreferencesFactory.php +351; includes/preferences/DefaultPreferencesFactory.php +373) (Param is raw)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/resourceloader/ResourceLoader.php">
    <error line="917" severity="warning" message="Echoing expression that was not html escaped (Caused by: includes/resourceloader/ResourceLoader.php +870; includes/resourceloader/ResourceLoader.php +902)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/specials/SpecialContributions.php">
    <error line="579" severity="warning" message="HTMLForm option label needs escaping (for value 'associated') (Caused by: Builtin-\Message::text; includes/language/Message.php +952)" source="SecurityCheck-XSS"/>
    <error line="579" severity="warning" message="HTMLForm option label needs escaping (for value 'nsInvert') (Caused by: Builtin-\Message::text; includes/language/Message.php +952)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/specials/SpecialUserrights.php">
    <error line="677" severity="warning" message="Calling method \Message::rawParams() in \UserrightsPage::showEditUserGroupsForm that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/specials/SpecialUserrights.php +654; includes/specials/SpecialUserrights.php +650; includes/specials/SpecialUserrights.php +657; includes/specials/SpecialUserrights.php +650) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="677" severity="warning" message="Calling method \Message::rawParams() in \UserrightsPage::showEditUserGroupsForm that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/specials/SpecialUserrights.php +655; includes/specials/SpecialUserrights.php +651; includes/specials/SpecialUserrights.php +658; includes/specials/SpecialUserrights.php +651) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="682" severity="warning" message="Calling method \Message::rawParams() in \UserrightsPage::showEditUserGroupsForm that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/specials/SpecialUserrights.php +670) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="682" severity="warning" message="Calling method \Message::rawParams() in \UserrightsPage::showEditUserGroupsForm that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/specials/SpecialUserrights.php +671) (Param is raw)" source="SecurityCheck-XSS"/>
    <error line="757" severity="warning" message="Calling method \OutputPage::addHTML() in \UserrightsPage::showEditUserGroupsForm that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: includes/specials/SpecialUserrights.php +691; includes/specials/SpecialUserrights.php +695; includes/specials/SpecialUserrights.php +677; includes/specials/SpecialUserrights.php +704; includes/specials/SpecialUserrights.php +700; includes/specials/S...  includes/specials/SpecialUserrights.php +724)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/specials/SpecialVersion.php">
    <error line="153" severity="warning" message="Calling method \OutputPage::addHTML() in \SpecialVersion::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: includes/specials/SpecialVersion.php +495; includes/specials/SpecialVersion.php +483; includes/specials/SpecialVersion.php +491; includes/specials/SpecialVersion.php +493; includes/specials/SpecialVersion.php +469; includes/specials/SpecialVersion.php +436; includes/specials/SpecialVersion.php +460; includes/specials/SpecialVersion.php +465; includes/specials/SpecialVersion.php +467; includes/specials/SpecialVersion.php +600; includes/specials/SpecialVersion.php +642; includes/specials/SpecialVersion.php +671)" source="SecurityCheck-XSS"/>
  </file>
  <file name="includes/specials/forms/UploadForm.php">
    <error line="139" severity="warning" message="HTMLForm info field in raw mode needs to escape default key (Caused by: includes/specials/SpecialUpload.php +263)" source="SecurityCheck-XSS"/>
    <error line="306" severity="warning" message="HTMLForm info field in raw mode needs to escape default key (Caused by: includes/specials/SpecialUpload.php +263)" source="SecurityCheck-XSS"/>
  </file>
  <file name="maintenance/convertExtensionToRegistration.php">
    <error line="87" severity="warning" message="Argument to require, include or eval is user controlled (Caused by: maintenance/convertExtensionToRegistration.php +83)" source="SecurityCheck-OTHER"/>
  </file>
  <file name="maintenance/convertLinks.php">
    <error line="226" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::query() in \ConvertLinks::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::query) (Caused by: maintenance/convertLinks.php +214; maintenance/convertLinks.php +210; maintenance/convertLinks.php +157; maintenance/convertLinks.php +206; maintenance/convertLinks.php +209; maintenance/convertLinks.php +162; includes/installer/MysqlUpdater.php +61...)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/fixTimestamps.php">
    <error line="54" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::query() in \FixTimestamps::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::query) (Caused by: maintenance/fixTimestamps.php +48; maintenance/fixTimestamps.php +47)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/generateJsonI18n.php">
    <error line="71" severity="warning" message="Calling method \GenerateJsonI18n::transformI18nFile() in \GenerateJsonI18n::execute that outputs using tainted argument $phpfile. (Caused by: maintenance/generateJsonI18n.php +113) (Caused by: maintenance/generateJsonI18n.php +51; maintenance/generateJsonI18n.php +60; maintenance/generateJsonI18n.php +53)" source="SecurityCheck-OTHER"/>
    <error line="91" severity="warning" message="Calling method \GenerateJsonI18n::transformI18nFile() in \GenerateJsonI18n::execute that outputs using tainted argument $phpfile. (Caused by: maintenance/generateJsonI18n.php +113) (Caused by: maintenance/generateJsonI18n.php +51; maintenance/generateJsonI18n.php +60; maintenance/generateJsonI18n.php +53)" source="SecurityCheck-OTHER"/>
  </file>
  <file name="maintenance/includes/MigrateActors.php">
    <error line="316" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::update() in \MigrateActors::migrate that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::update) (Caused by: maintenance/includes/MigrateActors.php +306)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/mergeMessageFileList.php">
    <error line="170" severity="warning" message="Argument to require, include or eval is user controlled (Caused by: maintenance/mergeMessageFileList.php +159)" source="SecurityCheck-OTHER"/>
  </file>
  <file name="maintenance/migrateComments.php">
    <error line="105" severity="error" message="Calling method \Wikimedia\Rdbms\IDatabase::insert() in \MigrateComments::loadCommentIDs that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Wikimedia\Rdbms\IDatabase::insert) (Caused by: maintenance/migrateComments.php +73)" source="SecurityCheck-SQLInjection"/>
    <error line="105" severity="error" message="Calling method \Wikimedia\Rdbms\IDatabase::insert() in \MigrateComments::loadCommentIDs that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Wikimedia\Rdbms\IDatabase::insert) (Caused by: maintenance/migrateComments.php +73; maintenance/migrateComments.php +169; maintenance/migrateComments.php +97; maintenance/migrateComments.php +263; maintenance/migrateComments.php +97; maintenance/migrateComments.php +265; maintenance/migrateComme...)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/nukeNS.php">
    <error line="62" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::query() in \NukeNS::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::query) (Caused by: maintenance/nukeNS.php +54)" source="SecurityCheck-SQLInjection"/>
    <error line="72" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::query() in \NukeNS::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::query) (Caused by: maintenance/nukeNS.php +69)" source="SecurityCheck-SQLInjection"/>
    <error line="88" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::query() in \NukeNS::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::query) (Caused by: maintenance/nukeNS.php +69)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/nukePage.php">
    <error line="63" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::query() in \NukePage::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::query) (Caused by: maintenance/nukePage.php +56)" source="SecurityCheck-SQLInjection"/>
    <error line="74" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::query() in \NukePage::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::query) (Caused by: maintenance/nukePage.php +56)" source="SecurityCheck-SQLInjection"/>
    <error line="77" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::query() in \NukePage::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::query) (Caused by: maintenance/nukePage.php +56)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/populateContentModel.php">
    <error line="61" severity="error" message="Calling method \PopulateContentModel::populateRevisionOrArchive() in \PopulateContentModel::execute that outputs using tainted argument $table. (Caused by: maintenance/populateContentModel.php +229) (Caused by: maintenance/populateContentModel.php +57)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/populateContentTables.php">
    <error line="217" severity="error" message="Calling method \Wikimedia\Rdbms\IDatabase::select() in \PopulateContentTables::populateTable that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IDatabase::select) (Caused by: maintenance/populateContentTables.php +216; maintenance/populateContentTables.php +215; maintenance/populateContentTables.php +199)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/recountCategories.php">
    <error line="126" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::selectFieldValues() in \RecountCategories::doWork that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::selectFieldValues) (Caused by: maintenance/recountCategories.php +117; maintenance/recountCategories.php +82)" source="SecurityCheck-SQLInjection"/>
    <error line="126" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::selectFieldValues() in \RecountCategories::doWork that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::selectFieldValues) (Caused by: maintenance/recountCategories.php +117; maintenance/recountCategories.php +82; maintenance/recountCategories.php +145)" source="SecurityCheck-SQLInjection"/>
    <error line="161" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::update() in \RecountCategories::doWork that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::update) (Caused by: includes/jobqueue/JobQueueDB.php +643; maintenance/recountCategories.php +160; maintenance/recountCategories.php +82)" source="SecurityCheck-SQLInjection"/>
    <error line="161" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::update() in \RecountCategories::doWork that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::update) (Caused by: maintenance/recountCategories.php +82; includes/jobqueue/JobQueueDB.php +643; maintenance/recountCategories.php +160; maintenance/recountCategories.php +160)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/refreshExternallinksIndex.php">
    <error line="73" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::select() in \RefreshExternallinksIndex::doDBUpdates that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::select) (Caused by: maintenance/refreshExternallinksIndex.php +71; maintenance/populateContentTables.php +199; maintenance/refreshExternallinksIndex.php +59)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/runBatchedQuery.php">
    <error line="80" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::select() in \RunBatchedQuery::execute that outputs using tainted argument $key. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::select) (Caused by: maintenance/runBatchedQuery.php +51)" source="SecurityCheck-SQLInjection"/>
    <error line="80" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::select() in \RunBatchedQuery::execute that outputs using tainted argument $table. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::select) (Caused by: maintenance/runBatchedQuery.php +50)" source="SecurityCheck-SQLInjection"/>
    <error line="81" severity="error" message="ORDER BY clause is user controlled (Caused by: maintenance/runBatchedQuery.php +51) (Originally at: maintenance/runBatchedQuery.php:80)" source="SecurityCheck-SQLInjection"/>
    <error line="97" severity="error" message="IDatabase::makeList with LIST_AND, LIST_OR or LIST_SET must sql escape string key names and values of numeric keys (Caused by: maintenance/runBatchedQuery.php +87; maintenance/runBatchedQuery.php +92)" source="SecurityCheck-SQLInjection"/>
    <error line="99" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::query() in \RunBatchedQuery::execute that outputs using tainted argument $query. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::query) (Caused by: maintenance/runBatchedQuery.php +95; maintenance/runBatchedQuery.php +52)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/runScript.php">
    <error line="64" severity="warning" message="Argument to require, include or eval is user controlled (Caused by: maintenance/runScript.php +57)" source="SecurityCheck-OTHER"/>
  </file>
  <file name="maintenance/sql.php">
    <error line="112" severity="error" message="Calling method \MwSql::sqlDoQuery() in \MwSql::execute that outputs using tainted argument $query. (Caused by: maintenance/sql.php +174) (Caused by: maintenance/sql.php +111)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/sqlite.inc">
    <error line="80" severity="error" message="Calling method \Wikimedia\Rdbms\DatabaseSqlite::query() in \Sqlite::checkSqlSyntax that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query) (Caused by: includes/Storage/NameTableStore.php +384; includes/libs/rdbms/database/DatabaseSqlite.php +607; includes/libs/rdbms/database/DatabaseSqlite.php +783; includes/libs/rdbms/database/DatabaseSqlite.php +1030; includes/libs/rdbms/database/DatabaseSqlite....)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/storage/compressOld.php">
    <error line="328" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::select() in \CompressOld::compressWithConcat that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::select) (Caused by: includes/resourceloader/ResourceLoaderWikiModule.php +440; maintenance/checkBadRedirects.php +49; maintenance/deleteOldRevisions.php +64; maintenance/orphans.php +160; includes/CategoryFinder.php +216; includes/CategoryFinder.php +248; includes/api/ApiQueryInfo.php +755; includes/api/ApiQueryAllPages.php +217; includes/api/ApiQueryAllPages.php +226; includes/api/ApiQueryBacklinks.php +182; includes/api/ApiQueryBac...)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="maintenance/uppercaseTitlesForUnicodeTransition.php">
    <error line="153" severity="warning" message="Argument to require, include or eval is user controlled (Caused by: maintenance/uppercaseTitlesForUnicodeTransition.php +146)" source="SecurityCheck-OTHER"/>
  </file>
</checkstyle>

Change 589891 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/core@master] maintenance: Add @return-taint none to getArg and getOption

https://gerrit.wikimedia.org/r/589891

Change 589891 merged by jenkins-bot:
[mediawiki/core@master] maintenance: Add @return-taint none to getArg and getOption

https://gerrit.wikimedia.org/r/589891

It is possible that the new version of taint check taking mixed different as before? I seeing some false positive where mixed return type of functions seems to be involved.

<file name="maintenance\refreshExternallinksIndex.php">
  <error line="76" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::select() in \RefreshExternallinksIndex::doDBUpdates that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::select) (Caused by: maintenance\refreshExternallinksIndex.php +74; maintenance\populateContentTables.php +199; maintenance\refreshExternallinksIndex.php +61)" source="SecurityCheck-SQLInjection"/>
</file>
		$start = $minmax->min - 1;
		$last = $minmax->max;
		$lbFactory = MediaWikiServices::getInstance()->getDBLoadBalancerFactory();
		while ( $start < $last ) {
			$end = min( $start + $this->mBatchSize, $last );      // <!-- php.net document min() as mixed return type - I hope that phan can see that this would return always an int as real type
			$this->output( "el_id $start - $end of $last\n" );
			$res = $dbw->select( 'externallinks', [ 'el_id', 'el_to', 'el_index' ],
				[
					"el_id > $start",
					"el_id <= $end",
				],
				__METHOD__,
				[ 'ORDER BY' => 'el_id' ]
			);

Or it is a issue with objects as $minmax is a object with two int fields.

<file name="includes\specials\pagers\ImageListPager.php">
  <error line="503" severity="warning" message="Calling method \MediaWiki\Linker\LinkRenderer::makeLink() in \ImageListPager::formatValue that outputs using tainted argument $name. (Caused by: Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes\specials\pagers\ImageListPager.php +502)" source="SecurityCheck-DoubleEscaped"/>
</file>
					$name = User::whoIs( $this->mCurrentRow->img_user );
					$link = $linkRenderer->makeLink(
						Title::makeTitle( NS_USER, $name ),
						$name
					);

The $name seems save and correct as there is no escaping involved. User::whoIs takes it data from UserCache::getProp which is documented as mixed

Change 595234 had a related patch set uploaded (by Umherirrender; owner: Umherirrender):
[mediawiki/core@master] Avoid reuse of local variable in RevisionStore

https://gerrit.wikimedia.org/r/595234

Change 595237 had a related patch set uploaded (by Umherirrender; owner: Umherirrender):
[mediawiki/core@master] Use db abstraction layer in nukePage and nukeNS maintenance script

https://gerrit.wikimedia.org/r/595237

It is possible that the new version of taint check taking mixed different as before? I seeing some false positive where mixed return type of functions seems to be involved.

Not in taint-check directly, as it doesn't care about types, except for a very small part.

The call to min() isn't clearing the taint from its arguments, and that's indeed because the function returns mixed. Taint-check handles internal funcs that return min as if they just preserve the taint of the arguments, and that's what it does here. However, it's always been like this AFAIK.

The $name seems save and correct as there is no escaping involved.

I can't tell for sure. Taint-check does have several false positives, but it also analyzes things very deeply, and lots of times I have found it to be right even when it didn't seem so at first.

User::whoIs takes it data from UserCache::getProp which is documented as mixed

It might or might not be related. Unlike built-in PHP functions, method are analyzed thoroughly, and the return type only plays a tiny part.


As a side note, I suggest not to worry about taint-check issues for core. Many of those are false positives, and I'm focusing on them for the next release.

It is possible that the new version of taint check taking mixed different as before? I seeing some false positive where mixed return type of functions seems to be involved.

Not in taint-check directly, as it doesn't care about types, except for a very small part.

The call to min() isn't clearing the taint from its arguments, and that's indeed because the function returns mixed. Taint-check handles internal funcs that return min as if they just preserve the taint of the arguments, and that's what it does here. However, it's always been like this AFAIK.

But than it takes the taint of the arguments of min() different as in release before, but that looks all like int for me. Maybe needs a deeper check.

The $name seems save and correct as there is no escaping involved.

I can't tell for sure. Taint-check does have several false positives, but it also analyzes things very deeply, and lots of times I have found it to be right even when it didn't seem so at first.

User::whoIs takes it data from UserCache::getProp which is documented as mixed

It might or might not be related. Unlike built-in PHP functions, method are analyzed thoroughly, and the return type only plays a tiny part.

It seems that all user names are unsafe as seeing many places with users from the UserCache or from User::getName, very confusing. Seems also needs a deeper check.


As a side note, I suggest not to worry about taint-check issues for core. Many of those are false positives, and I'm focusing on them for the next release.

Not all, I just looking around and try to fix some of them.

It is possible that the new version of taint check taking mixed different as before? I seeing some false positive where mixed return type of functions seems to be involved.

Not in taint-check directly, as it doesn't care about types, except for a very small part.

The call to min() isn't clearing the taint from its arguments, and that's indeed because the function returns mixed. Taint-check handles internal funcs that return min as if they just preserve the taint of the arguments, and that's what it does here. However, it's always been like this AFAIK.

But than it takes the taint of the arguments of min() different as in release before

This is possible, but the current is intended behaviour.

, but that looks all like int for me. Maybe needs a deeper check.

Phan hardcodes min() as returning mixed, there's nothing we can do about that -- except add a special case, like "if all arguments to min() are integers, then the return value is an integer", but that should really live inside phan, not taint-check. There's no other "deeper check" that would work, take the following:

$min = min( ['<script>alert()</script>'], [42]);
echo $min[0];

It seems that all user names are unsafe as seeing many places with users from the UserCache or from User::getName, very confusing. Seems also needs a deeper check.

User names *are* unsafe, so nothing wrong here.

As a side note, I suggest not to worry about taint-check issues for core. Many of those are false positives, and I'm focusing on them for the next release.

Not all, I just looking around and try to fix some of them.

Yeah, I was just suggesting to wait for a release or two, because many issues are false positives, and there are many other false negatives that still don't show up.

It seems that all user names are unsafe as seeing many places with users from the UserCache or from User::getName, very confusing. Seems also needs a deeper check.

User names *are* unsafe, so nothing wrong here.

It seems is the other way round. User names are treated as safe and using it in places where escaping is known (as LinkRenderer::makeLink as second argument) it is reported as DoubleEscaped.
Also pass an user name to wfEscapeWikiText reports DoubleEscaped

It seems that all user names are unsafe as seeing many places with users from the UserCache or from User::getName, very confusing. Seems also needs a deeper check.

User names *are* unsafe, so nothing wrong here.

It seems is the other way round. User names are treated as safe and using it in places where escaping is known (as LinkRenderer::makeLink as second argument) it is reported as DoubleEscaped.
Also pass an user name to wfEscapeWikiText reports DoubleEscaped

Taint for User::mName is polluted by Wikimedia\IPUtils::sanitizeIP.
When comment out that statement in User::getName then many issues go away (including the one listed above from ImageListPager)

Change 595255 had a related patch set uploaded (by Umherirrender; owner: Umherirrender):
[mediawiki/core@master] Improve some message escaping on special pages

https://gerrit.wikimedia.org/r/595255

Change 595234 merged by jenkins-bot:
[mediawiki/core@master] Avoid reuse of local variable in RevisionStore

https://gerrit.wikimedia.org/r/595234

Change 595237 merged by jenkins-bot:
[mediawiki/core@master] Use db abstraction layer in nukePage and nukeNS maintenance script

https://gerrit.wikimedia.org/r/595237