Change Details

The HTMLForm library doesn't escape the input of the help key by default. Is this intended behavior? For example, the following form descriptor using an interface message through `wfMessage()->text()` is an XSS vector. ```lang=php $formDescriptor= [ 'simpletextfield' => [ 'label' => 'Simple Text Field', 'class' => 'HTMLTextField', 'help' => wfMessage( 'myextension-mymessage' )->text(), // not escaped by HTMLForm, XSS! ] ] ``` We should rename the key to be help-raw, so users know it is a raw key. We should mark the old key name deprecated but keep it around for a transition period. Afterwards we should adjust phan-taint-check to make sure it recognizes the new key name. If you are fixing this, you probably need to edit (the comment in) includes/htmlform/HTMLForm.php and includes/htmlform/HTMLFormField.php as well as mentioning the deprecation in RELEASE-NOTES

The HTMLForm library doesn't escape the input of the help key by default. Is this intended behavior? For example, the following form descriptor using an interface message through `wfMessage()->text()` is an XSS vector. ```lang=php $formDescriptor= [ 'simpletextfield' => [ 'label' => 'Simple Text Field', 'class' => 'HTMLTextField', 'help' => wfMessage( 'myextension-mymessage' )->text(), // not escaped by HTMLForm, XSS! ] ] ``` We should rename the key to be help-raw, so users know it is a raw key. We should mark the old key name deprecated but keep it around for a transition period. Afterwards we should adjust phan-taint-check to make sure it recognizes the new key name. If you are fixing this, you probably need to edit (the comment in) includes/htmlform/HTMLForm.php and includes/htmlform/HTMLFormField.php as well as mentioning the deprecation in RELEASE-NOTES [x] New `help-raw` param added, and old `help` param marked as deprecated. [ ] Migrate all Wikimedia production code to use `help-raw` instead of `help`. [ ] Make use of the `help` param cause a deprecation warning. [ ] Drop support for use of `help` (in MW 1.44 or later).

The HTMLForm library doesn't escape the input of the help key by default. Is this intended behavior? For example, the following form descriptor using an interface message through `wfMessage()->text()` is an XSS vector. ```lang=php $formDescriptor= [ 'simpletextfield' => [ 'label' => 'Simple Text Field', 'class' => 'HTMLTextField', 'help' => wfMessage( 'myextension-mymessage' )->text(), // not escaped by HTMLForm, XSS! ] ] ``` We should rename the key to be help-raw, so users know it is a raw key. We should mark the old key name deprecated but keep it around for a transition period. Afterwards we should adjust phan-taint-check to make sure it recognizes the new key name. If you are fixing this, you probably need to edit (the comment in) includes/htmlform/HTMLForm.php and includes/htmlform/HTMLFormField.php as well as mentioning the deprecation in RELEASE-NOTES [x] New `help-raw` param added, and old `help` param marked as deprecated. [ ] Migrate all Wikimedia production code to use `help-raw` instead of `help`. [ ] Make use of the `help` param cause a deprecation warning. [ ] Drop support for use of `help` (in MW 1.44 or later).