#googleanalyticstrackurl parser function in extension does not properly escape js in onclick handler and does not prevent using javascript urls.
Additionally it does not register external links in the parser (important for antispam).
#googleanalyticstrackurl parser function in extension does not properly escape js in onclick handler and does not prevent using javascript urls.
Additionally it does not register external links in the parser (important for antispam).
return '<strong class="error">' . wfMessage( 'googleanalyticsmetrics-invalid-url' )->text() . '</strong>';
Doesn’t this need to be ->parse() or ->escaped() to prevent HTML injection from the googleanalyticsmetrics-invalid-url message?
No, because parser functions (unlike tag extensions) return wikitext if you return a string from them. So the return value is interpreted as being wikitext and does all normal wikitext escaping.