Language::truncateInternal() has the following code:
private function truncateInternal(
$string, $length, $ellipsis, $adjustLength, callable $measureLength, callable $getSubstring
) {
# Check if there is no need to truncate
if ( $measureLength( $string ) <= abs( $length ) ) {
return $string; // no need to truncate
}
# Use the localized ellipsis character
if ( $ellipsis == '...' ) {
$ellipsis = wfMessage( 'ellipsis' )->inLanguage( $this )->escaped();
}
if ( $length == 0 ) {
return $ellipsis; // convention
}This leads to phan SecurityCheck-DoubleEscaped errors such as:
16:30:56 includes/PollPage.class.php:98 SecurityCheck-DoubleEscaped Calling method \htmlspecialchars() in \PollPage::view that outputs using tainted argument #1 (`$user_name_short`). (Caused by: includes/PollPage.class.php +97; ../../includes/language/Language.php +3547; ../../includes/language/Language.php +3581; ../../includes/language/Language.php +3578; Builtin-\Message::escaped; ../../includes/language/Language.php +3608; ../../includes/language/Language.php +3587; ../../includes/language/Language.php +3578; Builtin-\Message::escaped; ../../includes/language/Language.php +3595; ../../includes/language/Language.php +3578; Builtin-\Message::escaped; ...) 16:30:56 [debug] Restarted process exited 1
(from https://integration.wikimedia.org/ci/job/mwext-php72-phan-docker/162352/console)
from code like:
$user_name_short = htmlspecialchars($lang->truncateForVisual( $creatorUserName, 27 ) );
I think phan is correct here -- we should be using wfMessage('ellipsis')->...->text() not ->escaped() -- especially since the point of this method is to truncate a string to a specific "visual" length (ie, in codepoints, not bytes) and html-entity-escaping the ellipsis is going to throw off that visual length calculation.