15:23:05 <file name="specials/SpecialExportTranslations.php"> 15:23:05 <error line="238" severity="warning" message="Calling method \Html::element() in \SpecialExportTranslations::doExport that outputs using tainted argument $text. (Caused by: Builtin-\Html::element) (Caused by: specials/SpecialExportTranslations.php +233; specials/SpecialExportTranslations.php +236; specials/SpecialExportTranslations.php +234)" source="SecurityCheck-DoubleEscaped"/> 15:23:05 </file>
Description
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Goal | Nikerabbit | T254481 Support sending TechNews using Special:MassMessage | ||
Resolved | Nikerabbit | T254484 Tag untranslated translations units with lang and dir attributes | |||
Resolved | Nikerabbit | T255561 Phan blocks merge of https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Translate/+/603471 |
Event Timeline
Comment Actions
Ah, I see this is caused by that very patch, and it's not already broken on master. I'll let you suppress it then, you should just add // @phan-suppress-next-line SecurityCheck-DoubleEscaped at line 237
Comment Actions
I've investigated. The plugin is inferring that Html::openElement returns an escaped value, regardless of its arguments. In your patch, getTranslationPageText includes an Html::openElement in its return value at line 228, and that's why the plugin thinks that the return value of getTranslationPageText is escaped. Calling Html::element does the rest. I confirm that the issue can be safely suppressed.
Comment Actions
You can use Xml class to create wikitext. The Html class is for outputting and thats involved (html) escaping.