Doxygen expects parameter types to come before the
parameter name in @param tags. Used a quick regex
to switch everything around where possible. This
only fixes cases where a primitve variable (or a
primitive followed by other types) is the variable
type. Other cases will need to be fixed manually.
Change-Id: Ic59fd20856eb0489d70f3469a56ebce0efb3db13
Problem: on API documentation pages, lines delimited with asterisks
are automatically converted to bold. However, some lines aren't,
such as the one with the url in the main header of the root API page:
https://en.wikipedia.org/w/api.php
Not only this is breaks the standard formatting for module headers, etc,
but if the font used by the browser for monospaced text
doesn't preserve character width between bold and regular weight
(which it should), any layout structures will break.
Example: http://i.imgur.com/PVh6i.png
The regex that applies bold to the lines starting and ending in *
doesn't accept < and > inside the string,
but these are added by the url-formatting regex.
Simply changing the order of these operations fixes the issue.
Note: this change also removes the regex applying italics
to lines in the $ ... $ form, as suggested by Anomie and Yurik
in code review comments.
Change-Id: I7173f812bebb8a722fefdaa6cce9fcd554c82c84
API was using SVN's version keyword which GIT does not support.
All related methods were either removed, or for those that
could have been used from extensions, emptied out.
api.php?version now shows unrecognized param warning.
Change-Id: I910ca1448ed2ed697ac19b17c486d130aa1d7e03
- Bug 260 provides potentally relevant discussion
(also eventually settled in white-space:pre-wrap)
- Wrapping isn't applied in help pages, since they rely
on the monospaced font for layout purposes.
- Rename $isError to the more exact $isHelp
- Update documentation for ApiFormatBase::initPrinter()
- Bonus: header w/ info about output formats won't show
for action=help anymore (irrelevant)
Change-Id: Id9cdf102e17b4c3eaf4b10f3e3f5e97233911b97
This patch marks the regex matching url protocol as being case
insensitive. We will from now render links like [HTTP://ww].
Tests added.
Change-Id: I706acb7a0ae194b50d2318763beae4e5e83671f3
By default, set the x-frame-options header for api result pages
to 'DENY'. This is to prevent an attacker from iframing an api
page that includes tokens and stealing them from a user, for example
with a fake captcha prompt.
The global $wgApiFrameOptions is used for the value, or can be set
to false to disable setting the header.
Change-Id: I498f874d7f6c180ec4f3abfc81f773c0fa0f421d
Doxygen choke on text enclosed by '<' and '>' since it tries to
interpret them as HTML or XML elements. This patch adds double quotes
in includes/api/*.php files around the two following strings:
<Firstname>.<Lastname>@gmail.com
<Firstname><Lastname>@gmail.com
Which becomes:
"<Firstname>.<Lastname>@gmail.com"
"<Firstname><Lastname>@gmail.com"
Tested locally, it prevents doxygen 1.8.0 related warnings.
Change-Id: I36d82eb3fd4989ee3ffc65b0b527b83711d1ba69
The help message that appears at the top of pretty-printed
API results suggested to use format in uppercase (e.g. format=XML).
That wouldn't work, because format names are lowercase.
This change corrects the help message so that it correctly uses
lowercase (e.g. format=xml).
Change-Id: I94275879b60c42bde607eb896aa79433dfabb34c
It's a parctice that dates back to 2006 when the API was first written, and frankly isn't covered by the coding conventions. Same thing with the docblocks, they're all copypasted with some bits changed and don't even make sense if you look at them in the genereated code docs.
I don't feel that any of us depend on this anymore (get a better IDE), so in the inerest of consistancy it's time we said goodbye to it.
* Introduce a boolean parameter to wfUrlProtocols() which, if set to false, will cause '//' to be dropped from the returned regex so it doesn't match protocol-relative URLs
* Introduce wfUrlProtocolsWithoutProtRel() as a wrapper for wfUrlProtocols( false ). The latter should not be used directly because the former is much clearer
* Use this new function in Parser::doMagicLinks() to fix the original bug. Also use it in ApiFormatBase::formatHTML() and CodeCommentLinker::link(), which probably had similar bugs
* Only clicktrack local, domain-relative URLs
* Validate redirect URL in ApiClickTracking with the same condition used in ClickTracking.js (local, domain-relative)
* Remove call to nonexistent function OutputPage::enable()
* Add functionality for disabling API output and use this after setting up the redirect. This fixes the issue where the body of the redirect contained an API response in xmlfm form
at; the body is now empty.
"I wouldn't object to stylizing the API code to bring it in line with
the rest of MW on principle, but I'm not gonna bother myself." --Roan
<http://www.mediawiki.org/wiki/Special:Code/MediaWiki/60657#c5108>
If you're seeing this commit in blames, tell your blame tool to ignore
whitespace, e.g., git blame -w or svn blame -x -w.
* This means queries could possibly return fewer results than the limit and still set a query-continue
* Add iicontinue, rvcontinue, cicontinue, incontinue, amfrom to faciliate query-continue for these modules
* Implemented by blocking additions to the ApiResult object if they would make it too large
** Important things like query-continue values and warnings are exempt from this check
** RSS feeds and exported XML are also exempted (size-checking them would be too messy)
** Result size is checked against $wgAPIMaxResultSize, which defaults to 8 MB
For those who really care, per-file details follow:
ApiResult.php:
* Introduced ApiResult::$mSize which keeps track of the result size.
* Introduced ApiResult::size() which calculates an array's size
(which is the sum of the strlen()s of its elements).
* ApiResult::addValue() now checks that the result size stays below
$wgAPIMaxResultSize. If the item won't fit, it won't be added and addValue()
will return false. Callers should check the return value and set a
query-continue if it's false.
* Closed the back door that is ApiResult::getData(): callers can't manipulate
the data array directly anymore so they can't bypass the result size limit.
* Added ApiResult::setIndexedTagName_internal() which will call
setIndexedTagName() on an array already in the result. This is needed for the
'new' order of adding results, which means addValue()ing one result at a time
until you hit the limit or run out, then calling this function to set the tag
name.
* Added ApiResult::disableSizeCheck() and enableSizeCheck() which disable and
enable size checking in addValue(). This is used for stuff like query-continue
elements and warnings which shouldn't count towards the result size.
* Added ApiResult::unsetValue() which removes an element from the result and
decreases $mSize.
ApiBase.php:
* Like ApiResult::getData(), ApiBase::getResultData() no longer returns a
reference.
* Use ApiResult::disableSizeCheck() in ApiBase::setWarning()
ApiQueryBase.php:
* Added ApiQueryBase::addPageSubItem(), which adds page subitems one item
at a time.
* addPageSubItem() and addPageSubItems() now return whether the subitem
fit in the result.
* Use ApiResult::disableSizeCheck() in setContinueEnumParameter()
ApiMain.php:
* Use ApiResult::disableSizeCheck() in ApiMain::substituteResultWithError()
* Use getParameter() rather than $mRequest to obtain requestid
DefaultSettings.php:
* Added $wgAPIMaxResultSize, with a default value of 8 MB
ApiQuery*.php:
* Added results one at a time, and set a query-continue if the result is full.
ApiQueryLangLinks.php and friends:
* Migrated from addPageSubItems() to addPageSubItem(). This eliminates the
need for $lastId.
ApiQueryAllLinks.php, ApiQueryWatchlist.php, ApiQueryAllimages.php, ApiQuerySearch.php:
* Renamed $data to something more appropriate ($pageids, $ids or $titles)
ApiQuerySiteinfo.php:
* Abuse siprop as a query-continue parameter and set it to all props that
couldn't be processed.
ApiQueryRandom.php:
* Doesn't do continuations, because the result is supposed to be random.
* Be smart enough to not run the second query if the results of the first
didn't fit.
ApiQueryImageInfo.php, ApiQueryRevisions.php, ApiQueryCategoryInfo.php, ApiQueryInfo.php:
* Added continue parameter which basically skips the first so many items
ApiQueryBacklinks.php:
* Throw the result in a big array first and addValue() that one element at a time if necessary
** This is necessary because the results aren't retrieved in order
* Introduced $this->pageMap to map namespace and title to page ID
* Rewritten extractRowInfo() and extractRedirRowInfo() a little
* Declared all private member variables explicitly
ApiQueryDeletedrevs.php:
* Use a pagemap just like in Backlinks
* Introduce fake page IDs and keep track of them so we know where to add what
** This doesn't change the output format, because the fake page IDs start at 0 and are consecutive
ApiQueryAllmessages.php:
* Add amfrom to facilitate query-continue
ApiQueryUsers.php:
* Rewrite: put the getOtherUsersInfo() code in execute()
Doxygen documentation update:
* Changed alls @addtogroup to @ingroup. @addtogroup adds the comment to the group description, but doesn't add the file, class, function, ... to the group like @ingroup does. See for example http://svn.wikimedia.org/doc/group__SpecialPage.html where it's impossible to see related files, classes, ... that should belong to that group.
* Added @file to file description, it seems that it should be explicitely decalred for file descriptions, otherwise doxygen will think that the comment document the first class, variabled, function, ... that is in that file.
* Removed some empty comments
* Removed some ?>
Added following groups:
* ExternalStorage
* JobQueue
* MaintenanceLanguage
One more thing: there are still a lot of warnings when generating the doc.
* Using preg_replace rather than ereg_replace in formatHTML() (faster according to php.net)
* Correcting grammatical error in Title::userIsWatching() description
format=raw is an HTML injection machine like action=raw but without any safeguards; it's trivial to create JavaScript exploits which hit at least Internet Explorer.
There's no reason to add a whole new danger point here when you've got machine-readable structure already... please do not add this raw formatter back.
* De-escape &amp; to & rather than & to & -- guarantees that we won't leave stray &s around producing invalid or freaky output
* Use == instead of = when comparing... :)
breaking change: Query watchlist shows flags only when explicitly requested with wlparam=flags, and rc_this_oldid (textid) is no longer accessible
query watchlist cleanup
bug in the integer parameter min/max validation
bug in feed formatting in error handling
some documentation
* breaking change: Converted a map of revisions into a list of revisions to allow easier json processing (no need to know map keys)
* html formatting now properly links urls ending with a '\n' string (jsonfm)
* regression: fixed allpages to return int instead of string for pageid and ns
* Added: info now returns page length, counter, and a new flag
* Add @addtogroup tags to various classes, to try and group conceptually-related classes together.
* Add brief descriptions to various Special pages, thanks to Phil Boswell.
* Moving some docs to be right above the classes they represent, so that they are picked up.
* Create magic links only using a whitelist of protocols.
Have no proof of vuln, but allowing the user to make JavaScript links and have a lot of control over what goes into them probably isn't desirable.
Example attack input:
http://en.wikipedia.org/w/api.php?action=query&meta=javascript://**/alert(1);
Example pre-patch HTML output contains this string:
<a href="javascript://**/alert">javascript://**/alert</a>(1);
Which doesn't work, due to:
1) the double slash - one slash someone can work around by faking a C-style comment (by appending "**/" as shown above), but two is a problem
2) the parentheses being excluded, so we can't pass parameters
... but best to put a stop to it anyway.
* API: added experimental watchlist rss/atom feed
* API: if available, json_encode() will be used
* API: opensearch parameter changed to "search=" (more descriptive)
* API: minor parameter cleanup, a wrapper for Feed class
