Page MenuHomePhabricator

Phan blocks merge of
Closed, ResolvedPublic


15:23:05   <file name="specials/SpecialExportTranslations.php">
15:23:05     <error line="238" severity="warning" message="Calling method \Html::element() in \SpecialExportTranslations::doExport that outputs using tainted argument $text. (Caused by: Builtin-\Html::element) (Caused by: specials/SpecialExportTranslations.php +233; specials/SpecialExportTranslations.php +236; specials/SpecialExportTranslations.php +234)" source="SecurityCheck-DoubleEscaped"/>
15:23:05   </file>

Event Timeline

Nikerabbit added a subscriber: Daimona.

@Daimona This looks like a false positive to me. How to fix?

I haven't checked deeply, but it might be a false positive. I'm going to suppress it

Ah, I see this is caused by that very patch, and it's not already broken on master. I'll let you suppress it then, you should just add // @phan-suppress-next-line SecurityCheck-DoubleEscaped at line 237

I've investigated. The plugin is inferring that Html::openElement returns an escaped value, regardless of its arguments. In your patch, getTranslationPageText includes an Html::openElement in its return value at line 228, and that's why the plugin thinks that the return value of getTranslationPageText is escaped. Calling Html::element does the rest. I confirm that the issue can be safely suppressed.

You can use Xml class to create wikitext. The Html class is for outputting and thats involved (html) escaping.

Using Xml class instead of Html did not seem to have any effect.

Nikerabbit claimed this task.

Suppression works, went with that.