Page MenuHomePhabricator

Fix incorrect deserialization of HTML in Flow
Closed, ResolvedPublic

Description

This is related to jQuery 1.9's change in how HTML is recognized by the $() function.

  • mwUiTooltipShow (modules/engine/misc/mw-ui.enhance.js) looks like it allows passing arbitrary HTML as content, which would be affected by this; this should also be documented.
  • plaintextSnippet (flow-handlebars.js) should use $.parseHTML for safety when contentFormta is 'html'.
  • FlowBoardComponentApiEventsMixin.UI.events.apiHandlers.moderateTopic and FlowBoardComponentApiEventsMixin.UI.events.apiHandlers.moderatePost use HTML directly from processTemplate, making them affected by this issue (also, apparently processTemplateGetFragment should be used instead of this in general, and we may want to make processTemplate private).
  • 'html' is a misleading variable name for the return value of processTemplateGetFragment (e.g. in flow-board-api-events.js) (not an actual bug, but related and confusing)

Event Timeline

Mattflaschen-WMF raised the priority of this task from to High.
Mattflaschen-WMF updated the task description. (Show Details)
Mattflaschen-WMF added subscribers: Aklapper, Unknown Object (MLST), greg and 6 others.
Krinkle removed a subscriber: Krinkle.Jan 17 2015, 1:37 AM
gerritbot added a subscriber: gerritbot.

Change 187799 had a related patch set uploaded (by Mattflaschen):
Update to follow jQuery 1.11 upgrade guide

https://gerrit.wikimedia.org/r/187799

Patch-For-Review

Change 187799 merged by jenkins-bot:
Update to follow jQuery 1.9 upgrade guide

https://gerrit.wikimedia.org/r/187799

DannyH closed this task as Resolved.Feb 3 2015, 11:57 PM
DannyH added a subscriber: DannyH.