This reverts commit 596c2615de.
Reason for revert: This has already been fixed in
I7fe42df7b9a3fd97eaf89515b7c1afb5ae3e688c. This second patch does not
address the issue properly and causes strings to be double escaped that
should only be escaped once.
Full reasoning:
* The parameter is now marked as `@param-taint $buttonLabel exec_html`
since the fix for T402313
* All callers outside of HTMLButtonField escape the label now
* There is another method call in HTMLButtonField, which passes the
`buttonLabel` property to the function. This property is assigned
in the following places:
** L63: Parsed message
** L67: String literal with a unicode character
** L69: Escaped string
** L72: Intentionally raw HTML string
** L126: `$this->getDefault()`, which will be escaped again in that line
after this patch is reverted
Bug: T394396
Change-Id: Ifc982e93c3cf2b6658cb8943eb717cb7a2aea7f5
CVE-2025-61642
HTMLButtonField::buildCodexComponent() expects raw HTML for its button
label parameter, and this makes sense in the context of that class. But
it was also being used to build the submit button, where we were passing
in a plain text button label.
Escape the button label before passing it in, and more clearly document
that this parameter expects raw HTML.
Bug: T402313
Change-Id: I7fe42df7b9a3fd97eaf89515b7c1afb5ae3e688c
Add doc-typehints to class properties found by the PropertyDocumentation
sniff to improve the documentation.
Once the sniff is enabled it avoids that new code is missing type
declarations. This is focused on documentation and does not change code.
Change-Id: I1f306a3925d6768209a06e70082598b2f70cd319
Changes to the use statements done automatically via script
Addition of missing use statement done manually
Change-Id: Ia35b2d3105880631dd26ec974068b000ac7f4b6b
Create a static method that returns the HTML for a Codex button.
CodexHTMLForm::getButtons() and HTMLButtonField::getInputCodex()
calls the static method and passes in a list of attributes,
flags, and the button label needed to build the Codex button.
This patch changes the way the Codex submit button is created. In a
previous patch, the submit button was an instance of HTMLSubmitField.
Bug: T361406
Change-Id: I046de61d4808f034335254e9a9c853f133d66a9b
Was only there for IE 6 & 7, which are gladly not supported in our
infrastructure and codebase for some years now.
Bug: T234582
Change-Id: I111ec7c45f04caf82a796b701baf206ebbc0540b
Adds support for all Codex Buttons by removing the
hard-coded values in the flag class array ($flags).
This patch adds the `cdx-button` class to class
attributes. It maps each flag in `$this->mFlags`
array to the corresponding CSS class name and
appends each flag class to the flag class array.
This ensures that all flag classes defined in
$flags are included in the HTML output.
Flags include 'progressive', 'destructive', 'primary',
and 'quiet'.
Flag classes include:
- cdx-button--action-progressive
- cdx-button--action-destructive
- cdx-button--weight-primary
- cdx-button--weight-quiet
Bug: T359018
Change-Id: I4ceaa3ef484f654bd908479d27ce0d32ed099d86
- Refactor the HTMLButtonField, HTMLCheckField, and HTMLTextField
classes to include getInputCodex() methods, rather than checking
if CodexHTMLForm is being used.
- Add error classes if applicable.
- For HTMLCheckField, ensure that tooltips are propagated to the
wrapper div instead of the label, so a tooltip will display no
matter which part of the component you're hovering over
(including the space between the input and label text).
Bug: T359013
Change-Id: I0ead69e2b6b33f48949a2dfe40140f2ef957bc06
Removing the config variable in a separate change:
Ib9966bc6a4a94f771cb99a5aa52fb6a1dc826ca5
(just in case something depends on its existence).
Bug: T182050
Change-Id: Ic3e038df16fc540ec7f6bcb9a54d73f8d596d305
Changes:
* Use Codex markup instead of mediawiki ui markup
* We limit what can be customized by the skin
* Current rules for touch area and snapping of
inputs is moved from Minerva into core so other skins
benefit from the styling
* A placeholder text is adding to the "real name" field.
* Introduce CodexHTMLForm
Bug: T182050
Change-Id: I834cc0e07fc1e705753df6866a5eeda2ac77fb8e
This edition brought to you by:
grep -ERIn $(grep -o "'[A-Za-z0-9_]*'" includes/MainConfigNames.php | tr
"\n" '|' | sed 's/|$/\n/') includes/
I only corrected a fraction of the results provided by that command. I'm
submitting the partial patch now so it doesn't bitrot.
Bug: T305805
Change-Id: If1918c0b3d88cdf90403921e4310740e206d6962
Updated Doxygen markup in several .php files triggering warnings when mwdocgen.php is executed. Removed
obsolete settings MSCGEN_PATH and TCL_SUBST from Doxyfile. The former would generate a warning in 1.8.16
while TCL support was removed in 1.8.18. Since TCL_SUBST was blank anyway, it was removed prior to getting
to .18 in production. Increased DOT_GRAPH_MAX_NODES from 50 to 200 since Doxygen complained about it being
too low for API and Maintenance.
Bug: T248706
Change-Id: I9c67f0807d1b43089d351263d4f591dee5501f36
These occur when buttonlabel-message is set. HTMLButtonField
parses the message in its constructor, but at that point the
context (provided by the form field by HTMLForm::$mParent) is
not yet available. The constructor of HTMLForm assigns $mParent,
but that constructor is only called after the button label
message is parsed.
Bug: T201497
Change-Id: I021c9ecf3bc934f2cf55ec100e799c1c12e7bc01
Directly use the UTF-8 encoding of the 'NO-BREAK SPACE' (U+00A0) instead of
the HTML/XML entities   or   or .
With the UTF-8 character the generated HTML is shorter and better to read.
Also change the special value for the label in HTMLForm from   to
U+00A0 but also support   for backward compability.
Bug: T154300
Change-Id: I882599ac1120789bb4e524c4394870680caca4f4
Otherwise, after we allow HTML5 form validation attributes, these
buttons wouldn't work for non-JS users (unless the whole form was
otherwise valid).
Change-Id: Ia9c16849774c186b991280ea60fc5608ddd4cf42
Most of these are simply changing annotations to reflect
reality. If a function can return false to indicate failure
the @return should indicate it.
Some are fixing preg_match calls, preg match returns 1, 0 or false,
but the functions all claim to return booleans.
This is far from all the incorrect return types in mediawiki, there
are around 250 detected by phan, but have to start somewhere.
Change-Id: I1bbdfee6190747bde460f8a7084212ccafe169ef
It mostly already worked. HTMLForm::trySubmit() needed a little
adjustment to handle things properly.
Change-Id: Ibb17bb61ac0b2d41953249980bc2f23b8a3ae5b6
It's getting more difficult to navigate the files in includes/htmlform/
with every new field and every new helper class that is being added.
Change-Id: I92ce2356baf6151f17b2440970d5abdf86503820
2016-08-01 07:58:56 +00:00
Renamed from includes/htmlform/HTMLButtonField.php (Browse further)
