From 03468c8f30c54d6ec728b5c6a443857d50aad2d2 Mon Sep 17 00:00:00 2001
From: Umherirrender <umherirrender_de.wp@web.de>
Date: Wed, 21 Aug 2024 22:16:00 +0200
Subject: [PATCH] html: Add param-taint annotation to Html::errorBox

Warn on unescaped html passed to Html::errorBox
Allow to find the situation fixed in
ac5c18327a83668e749c4bd731f212a96255dbf0 via phan-taint-check

Follow-Up: I0a613819cb2b19693a3e461ad45c793cce2bd989
Depends-On: Ia44c9a7a20bd8efc6619210bcf7056068ac87f1a
Depends-On: I9dbca9939bf8b2b1b31b26f20eb3530554f05f6f
Depends-On: I4cbcb6763042b51a198ce66138c171f41ce52457
Depends-On: Ic1abdf3814f5bed75531107f0ac983223e531e82
Depends-On: I4169bbe23ec8d8e302c4b6754a54d89ad3115410
Change-Id: I6897388ef05b5f1d61f09caaa9c328cdbe84f431
---
 includes/Html/Html.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/includes/Html/Html.php b/includes/Html/Html.php
index 7b6d6f9df9b..ba6d42096e4 100644
--- a/includes/Html/Html.php
+++ b/includes/Html/Html.php
@@ -688,6 +688,7 @@ class Html {
 	 * Return the HTML for a message box.
 	 * @since 1.31
 	 * @param string $html of contents of box
+	 * @param-taint $html tainted
 	 * @param string|array $className corresponding to box
 	 * @param string $heading (optional)
 	 * @param string $iconClassName (optional) corresponding to box icon
@@ -725,6 +726,7 @@ class Html {
 	 * Return the HTML for a notice message box.
 	 * @since 1.38
 	 * @param string $html of contents of notice
+	 * @param-taint $html tainted
 	 * @param string|array $className corresponding to notice
 	 * @param string $heading (optional)
 	 * @param string|array $iconClassName (optional) corresponding to notice icon
@@ -743,6 +745,7 @@ class Html {
 	 * @since 1.31
 	 * @since 1.34 $className optional parameter added
 	 * @param string $html of contents of box
+	 * @param-taint $html tainted
 	 * @param string $className (optional) corresponding to box
 	 * @return string of HTML representing a warning box.
 	 */
@@ -757,6 +760,7 @@ class Html {
 	 * @since 1.31
 	 * @since 1.34 $className optional parameter added
 	 * @param string $html of contents of error box
+	 * @param-taint $html tainted
 	 * @param string $heading (optional)
 	 * @param string $className (optional) corresponding to box
 	 * @return string of HTML representing an error box.
@@ -772,6 +776,7 @@ class Html {
 	 * @since 1.31
 	 * @since 1.34 $className optional parameter added
 	 * @param string $html of contents of box
+	 * @param-taint $html tainted
 	 * @param string $className (optional) corresponding to box
 	 * @return string of HTML representing a success box.
 	 */