HomePhabricator
Diffusion MediaWiki 42e433f14f4b

[DO NOT MERGE until feedback wikitech-l] Remove support for…
42e433f14f4bUnpublished
Actions

Unpublished Commit · Learn More

Publishing Disabled: All publishing is disabled for this repository.
This commit no longer exists in the repository. It may have been part of a branch which was deleted.This commit has been deleted in the repository: it is no longer reachable from any branch, tag, or ref.

Description

[DO NOT MERGE until feedback wikitech-l] Remove support for $wgWellFormedXml=false

tl;dr: Having unnessary complexity in security critical code is bad.

  • Extra options add extra complexity and maintenance burden
    • Thus we should only have one html output mode. well formed = false was already vetoed in T52040, so lets go with WellFormed=true.
  • Options which are used by very few people tend to get tested less
  • Escaping is an area of code where we should be very conservative
  • Having escaping rules depend on making assumptions about which characters various browsers consider "whitespace" is scary
  • $wgWellFormedXml=false has had a negative security impact in the past (Usually not directly its fault, but has made other bugs more exploitable)
  • Saving a couple bytes (even less bytes after gzip taken into account) is really not worth it in this context (imho).

Change-Id: I5c922e0980d3f9eb39adb5bb5833e158afda42ed

Details

Provenance
BawolffAuthored on Apr 20 2016, 5:22 PM
ChangeId
I5c922e0980d3f9eb39adb5bb5833e158afda42ed

Commit No Longer Exists

This commit no longer exists in the repository.
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL