Nothing too concerning with what you're doing. Security is roughly the same as using Html/Xml classes at this point.
The only thing I'd really like to see changed is in php/widgets/InputWidget.php, the "sanitizeValue" function doesn't do any (security) sanitization, which I think that could cause confusion later on. If the name can't be changed, maybe make the comments explicit that it's not security sanitization?
It would also be nice to have some extra sanitization built in from the start, which we can't do in the Html/Xml classes since they're abused in odd ways, but have bitten some developers (SemanticForms had bunch of issues because they assumed these happened):
- Validate tag name will be parsed in html as a single tag name-- so doesn't contain whitespace, /, >, or null.
- Validate attribute names don't contain whitespace, /, =, >
- Validate that form actions and button hrefs aren't javascript: urls
There are also a couple of places you're adding style attributes directly. Is it possible to avoid that? My long-term plan is to have MediaWiki set a Content Security Policy that doesn't allow inline css, so I'd prefer to not introduce new uses of it, if possible.
Version: wmf-deployment
Severity: normal