Fixes a bug introduced in c12af6e168
where invalid usernames are normalized out.
Nonexistent usernames will still fail the validation step, including
IP addresses if the field has been set up not to accept them.
Bug: T274568
Change-Id: I229afdfff2144fd4db8d49825262010f58f1fe54
Users can pass multidimensional arrays in query parameters to PHP
(e.g. ?foo[a][b]=bar). While filterDataForSubmit() ensured that anyone
using HTMLMultiSelectField in their form did not see them, internal
code here did not handle them correctly when validating the values and
generating the inputs, resulting in warnings deep in other code.
Use is_scalar instead of is_string in case default values somewhere
are integers or other non-string types.
Bug: T274955
Change-Id: I072a722ed025d687bfe755261a9896457f68f2ef
In no-js, there is no on the fly normalization of usernames in
HTMLUsersMultiselectField so both "User A" and "User_A" are
valid representations of "User A" (the canonical representation).
It's also possible to add the same user multiple times with no-js
and this will be considered valid and count toward the max limit.
These are not problems with js enabled since there will be an api
call for every new entry and that call both filters for selected users
and only returns canonical names.
This patchset reproduces that functionality in the PHP layer so that
no-js functions like the infused widget.
Bug: T274568
Change-Id: Ie78c8f37fa8a38b67eeaa6de098e41df2dac3e3e
This is micro-optimization of closure code to avoid binding the closure
to $this where it is not needed.
Created by I25a17fb22b6b669e817317a0f45051ae9c608208
Change-Id: I0ffc6200f6c6693d78a3151cb8cea7dce7c21653
This patch touches all uncontroversial (I hope) places where a chain
of isset(), array_key_exist() and the ternary ?: operator can be
replaced with the much shorter ?? feature from PHP 7.
?? does the same. It checks if the element before the ?? is set and
not null. When this check fails, the element after the ?? is used.
Change-Id: Id612e2782ae928164b26b6f0de676c6c7d8302f3
If the disabled parameter is set, the create/delete buttons
should be disabled by default. If a delete button is passed
along, then it overwrites the default delete button and therefore
needs to manage its own disabled/enabled state
Bug: T273431
Change-Id: Ia424466d26b6f65f01b912c2d556d329eb93f29a
* Make 'accept' an array like it is in OOUI
* Treat $this->mMultiple like the boolean it is
* Don't bother setting 'placeholder' on native inputs
Change-Id: I4c1341181757791c2e1ac2a14c4b3e7c8461ca54
This issue type was globally suppressed in
I849ac4f120fd15b483e8939d4db45c98dc351259 to make reviewer easier.
This adds inline suppressions or @suppress directives on function
docs for false positives, mostly restoring those removed in
I849ac4f120fd15b483e8939d4db45c98dc351259
Bug: T231311
Change-Id: I1b1d814bd907e9d49fcc39f777982936574fc7c6
Taint check checks for possible security issues by tracking html
escaping and more by using phan.
This slows done the phan-job a bit and requires more ram
Keep the DoubleEscaped issues out to make reviewer easier
Adds suppression for false positives
Adds taint-annotation to help taint-check
Removes suppression for code phan now understand better by the tracking
of keys in taint-check
Fix some small issues by adding int cast or htmlspecialchars calls
Bug: T216348
Bug: T268920
Change-Id: I849ac4f120fd15b483e8939d4db45c98dc351259
$out has only items, when $optionsOouiSections has items, but when
$options is empty, $out is also empty. In that case $hasSections is
false.
Bug: T232616
Change-Id: Id3959013b7b1db0d4faeecea9148bae97227abcf
Deprecating something means to say something nasty about it, or to draw
its character into question. For example, "this function is lazy and good
for nothing". Deprecatory remarks by a developer are generally taken as a
warning that violence will soon be done against the function in question.
Other developers are thus warned to avoid associating with the deprecated
function.
However, since wfDeprecated() was introduced, it has become obvious that
the targets of deprecation are not limited to functions. Developers can
deprecate literally anything: a parameter, a return value, a file
format, Mondays, the concept of being, etc. wfDeprecated() requires
every deprecatory statement to begin with "use of", leading to some
awkward sentences. For example, one might say: "Use of your mouth to
cough without it being covered by your arm is deprecated since 2020."
So, introduce wfDeprecatedMsg(), which allows deprecation messages to be
specified in plain text, with the caller description being optionally
appended. Migrate incorrect or gramatically awkward uses of wfDeprecated()
to wfDeprecatedMsg().
Change-Id: Ib3dd2fe37677d98425d0f3692db5c9e988943ae8
Amongst other things, this version of phan bundles taint-check, which is
however disabled in the config file because there are lots of issues to
be fixed.
Upgrading phan alone now means that we can have a clean baseline for the taint-check upgrade.
Bug: T248630
Change-Id: I8ab7ef9a9e73952098664176aad6c2b3b88095ee
Updated Doxygen markup in several .php files triggering warnings when mwdocgen.php is executed. Removed
obsolete settings MSCGEN_PATH and TCL_SUBST from Doxyfile. The former would generate a warning in 1.8.16
while TCL support was removed in 1.8.18. Since TCL_SUBST was blank anyway, it was removed prior to getting
to .18 in production. Increased DOT_GRAPH_MAX_NODES from 50 to 200 since Doxygen complained about it being
too low for API and Maintenance.
Bug: T248706
Change-Id: I9c67f0807d1b43089d351263d4f591dee5501f36
The HTMLUsersMultiselectField and HTMLUserTextField fail validation when an
empty string is passed to a non-required form field. To prevent this, the
widget should pass the validation to the parent when the value is an empty
string.
Bug: T246958
Change-Id: I39df2b575b90a4648188ed3ef4cc0c38ac553636
Repeating the variable name doesn't do anything. Documentation
generators don't need it. It's more stuff to read that doesn't add new
information. And it can become outdated.
Note there are two types of @var docs. When used inline (and not on a
class property) the variable name is needed.
Change-Id: If5a520405efacd8cefd90b878c999b842b91ac61
Pass through config options from HTMLUserTextField that allow the
field to accept an IP address and/or range, and specify the maximum
allowed range size.
Bug: T238277
Change-Id: I0e0f6b6fd6801d5cd561def28917e81a81b3f7d4
Introduce a more specific message for when the number of selected items
exceeds the maximum number allowed.
Change-Id: I359b65ac397b4acef32940ff8ff9af33651f7a7b
This is for classes with a single undeclared property - aside from
BlockManager: I3f51fd3579514b83b567dfe20926df2f0930dc85 removed the
declaration of $permissionManager without actually removing all uses.
Change-Id: Ic2a95f77071312041be6e0633ea9b5325e98de42
This allows us to remove many suppressions for phan false positives.
Bug: T231636
Depends-On: I82a279e1f7b0fdefd3bb712e46c7d0665429d065
Change-Id: I5c251e9584a1ae9fb1577afcafb5001e0dcd41c7
All of these suppression prevent the detection of many common mistakes,
and could easily prevent things like T231488. Especially if there are
few issues of a given type, it's way better to suppress them inline,
instead of disabling them for the whole core.
This patch only touches the one with a lower count (although those
counts may be out of date).
Bug: T231636
Change-Id: Ica50297ec7c71a81ba2204f9763499da925067bd
Alters the SelectWithInput to allow a required config to be passed from a
parent widget. Also handles the required state dynamically. If the widget is
an OR widget, then only the select dropdown is required. The text input will
be required when the other option is selected. If the widget is an AND widget
then both the select dropdown and the text input will be required.
Bug: T220533
Change-Id: I8479743126756f2b1bd7bcd53b100a0134f34d07
