This issue type was globally suppressed in
I849ac4f120fd15b483e8939d4db45c98dc351259 to make reviewer easier.
This adds inline suppressions or @suppress directives on function
docs for false positives, mostly restoring those removed in
I849ac4f120fd15b483e8939d4db45c98dc351259
Bug: T231311
Change-Id: I1b1d814bd907e9d49fcc39f777982936574fc7c6
Taint check checks for possible security issues by tracking html
escaping and more by using phan.
This slows done the phan-job a bit and requires more ram
Keep the DoubleEscaped issues out to make reviewer easier
Adds suppression for false positives
Adds taint-annotation to help taint-check
Removes suppression for code phan now understand better by the tracking
of keys in taint-check
Fix some small issues by adding int cast or htmlspecialchars calls
Bug: T216348
Bug: T268920
Change-Id: I849ac4f120fd15b483e8939d4db45c98dc351259
Also add taint for LogFormatter::makePageLink similiar to
LogFormatter::makeUserLink to avoid false positives as the return of
this function is mostly wrapped in Message::rawParam
Change-Id: Iab770702fd3a1d20f25f54057770dc03e28f1b0e
Some function using union type string|Message where string is a message
key and not html. This can be marked as tainted to avoid double escape
issues from taint-check
Bug: T216348
Change-Id: I40a305b5e49d67b3f6d7737c0846b93a80b78fa9
For compliance with the new version of the table interface policy
(T255803).
This patch was created by an automated search & replace operation
on the includes/ directory.
Bug: T257789
Change-Id: If560596f5e1e0a3da91afc36e656e7c27f040968
This annotates classes that can safely be instantiated by
extensions, per the Stable Interface Policy.
Bug: T247862
Change-Id: Ia280f559874fc0750265ddeb7f831e65fd7d7d6a
There is currently notable overhead from having to call
Title::getPrefixedText/TitleFormatter upon serialisation,
and Title::newFromText/TitleParser upon unserialisation.
An unscientific benchmark:
> $start = microtime(true); $a = new RawMessage('some content');
> $a->title( Title::makeTitle( NS_SPECIAL, 'Badtitle/MessageCache' ) );
> $s = serialize($a); $b = unserialize($s);
> $duration = microtime(true) - $start;
> echo 'time: ' . round($duration * 1000, 1) . ' ms';
Run on mediawiki-docker-dev on PHP 7.2.28, via eval.php:
* Before: 129.7 ms, 118.6 ms
* After: 6.6 ms, 4.7 ms
Bug: T247035
Change-Id: I999db53e2f6189fb4319fefc2fbd8e5e5a228df0
This follows-up d83fcce5cb, which did something similar for
includes/profiler/.
* Ensure presence of license header.
* Merge any file-level descriptions with the class block,
where it gets seen in generated docs about that class.
* Add any missing `@ingroup` tags to class blocks.
* Remove remaining `@ingroup` from file blocks.
These clutter the Doxygen pages with duplicate entries.
* Fix some misspelled words from 61e0908fa2 and f136c2953c.
Change-Id: I5d21ec159766b799ba519da951d4f0716bae5f9f
The coupling of Status with the global request context for
Message object creation is a common pain point in unit tests and
in no-session code. As a short term solution (until Status is
properly deprecated) allow injecting a different localizer.
Also refactor the code a bit to get rid if the explicit need for
the context language (which is already implicit in the localizer).
Change-Id: I82a2e4a83743546a934fb938b94e877a2471a3d2
And also update approximated counts, which for the most part are lower
than reported (hooray!)
Bug: T231636
Depends-On: Ica50297ec7c71a81ba2204f9763499da925067bd
Change-Id: I78354bf5f0c831108c8f606e50c87cf6bc00d8bd
