Merge "Fix some warnings from phan-taint-check"
This commit is contained in:
jenkins-bot
Gerrit Code Review
commit
fede766fe9
3 changed files with 16 additions and 2 deletions
|
|
@ -104,6 +104,9 @@ class AjaxDispatcher {
|
|||
* they should be carefully handled in the function processing the
|
||||
* request.
|
||||
*
|
||||
* phan-taint-check triggers as it is not smart enough to understand
|
||||
* the early return if func_name not in AjaxExportList.
|
||||
* @suppress SecurityCheck-XSS
|
||||
* @param User $user
|
||||
*/
|
||||
function performAction( User $user ) {
|
||||
|
|
|
|||
|
|
@ -1782,7 +1782,7 @@ ERROR;
|
|||
if ( $this->summary === '' ) {
|
||||
$cleanSectionTitle = $wgParser->stripSectionName( $this->sectiontitle );
|
||||
return $this->context->msg( 'newsectionsummary' )
|
||||
->rawParams( $cleanSectionTitle )->inContentLanguage()->text();
|
||||
->plaintextParams( $cleanSectionTitle )->inContentLanguage()->text();
|
||||
}
|
||||
} elseif ( $this->summary !== '' ) {
|
||||
$sectionanchor = $this->guessSectionName( $this->summary );
|
||||
|
|
@ -1790,7 +1790,7 @@ ERROR;
|
|||
# in the revision summary.
|
||||
$cleanSummary = $wgParser->stripSectionName( $this->summary );
|
||||
return $this->context->msg( 'newsectionsummary' )
|
||||
->rawParams( $cleanSummary )->inContentLanguage()->text();
|
||||
->plaintextParams( $cleanSummary )->inContentLanguage()->text();
|
||||
}
|
||||
return $this->summary;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -878,8 +878,13 @@ abstract class HTMLFormField {
|
|||
* Determine form errors to display and their classes
|
||||
* @since 1.20
|
||||
*
|
||||
* phan-taint-check gets confused with returning both classes
|
||||
* and errors and thinks double escaping is happening, so specify
|
||||
* that return value has no taint.
|
||||
*
|
||||
* @param string $value The value of the input
|
||||
* @return array array( $errors, $errorClass )
|
||||
* @return-taint none
|
||||
*/
|
||||
public function getErrorsAndErrorClass( $value ) {
|
||||
$errors = $this->validate( $value, $this->mParent->mFieldData );
|
||||
|
|
@ -1149,6 +1154,12 @@ abstract class HTMLFormField {
|
|||
* Formats one or more errors as accepted by field validation-callback.
|
||||
*
|
||||
* @param string|Message|array $errors Array of strings or Message instances
|
||||
* To work around limitations in phan-taint-check the calling
|
||||
* class has taintedness disabled. So instead we pretend that
|
||||
* this method outputs html, since the result is eventually
|
||||
* outputted anyways without escaping and this allows us to verify
|
||||
* stuff is safe even though the caller has taintedness cleared.
|
||||
* @param-taint $errors exec_html
|
||||
* @return string HTML
|
||||
* @since 1.18
|
||||
*/
|
||||
|
|
|
|||
Loading…
Reference in a new issue