Page MenuHomePhabricator
Create Task
Maniphest T255561

Phan blocks merge of https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Translate/+/603471
Closed, ResolvedPublic
Actions

Description

15:23:05   <file name="specials/SpecialExportTranslations.php">
15:23:05     <error line="238" severity="warning" message="Calling method \Html::element() in \SpecialExportTranslations::doExport that outputs using tainted argument $text. (Caused by: Builtin-\Html::element) (Caused by: specials/SpecialExportTranslations.php +233; specials/SpecialExportTranslations.php +236; specials/SpecialExportTranslations.php +234)" source="SecurityCheck-DoubleEscaped"/>
15:23:05   </file>

Related Objects
Search...

Event Timeline

Nikerabbit created this task.Jun 16 2020, 1:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 16 2020, 1:30 PM
Nikerabbit added a project: phan-taint-check-plugin.Jun 16 2020, 1:31 PM
Nikerabbit added a subscriber: Daimona.

@Daimona This looks like a false positive to me. How to fix?

Nikerabbit added a parent task: T254484: Tag untranslated translations units with lang and dir attributes.Jun 16 2020, 1:31 PM
Daimona claimed this task.Jun 16 2020, 2:08 PM

I haven't checked deeply, but it might be a false positive. I'm going to suppress it

Daimona removed Daimona as the assignee of this task.Jun 16 2020, 2:10 PM

Ah, I see this is caused by that very patch, and it's not already broken on master. I'll let you suppress it then, you should just add // @phan-suppress-next-line SecurityCheck-DoubleEscaped at line 237

Daimona added a comment.Jun 16 2020, 2:30 PM

I've investigated. The plugin is inferring that Html::openElement returns an escaped value, regardless of its arguments. In your patch, getTranslationPageText includes an Html::openElement in its return value at line 228, and that's why the plugin thinks that the return value of getTranslationPageText is escaped. Calling Html::element does the rest. I confirm that the issue can be safely suppressed.

Umherirrender subscribed.Jun 16 2020, 5:40 PM

You can use Xml class to create wikitext. The Html class is for outputting and thats involved (html) escaping.

Nikerabbit added a comment.Jun 17 2020, 9:33 AM

Using Xml class instead of Html did not seem to have any effect.

Nikerabbit closed this task as Resolved.Jun 17 2020, 10:26 AM
Nikerabbit claimed this task.

Suppression works, went with that.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL