This creates a new language code, 'x-xss', which is enabled using the
setting $wgUseXssLanguage (similar to how $wgUsePigLatinVariant enables
the 'en-x-piglatin' language code, and likewise defaults to false; will
be enabled in development settings soon).
In this language code, all messages become “malicious”, trying to run
some alert() JavaScript; if any alert() actually fires in the browser,
the message was not escaped properly. ($wgRawHtmlMessages are exempt,
since they’re already known to be “unsafe” and require more rights to
edit on-wiki.) Messages that are not escaped properly are generally a
minor security issue; they effectively let a user with 'editinterface'
right (such as a sysop, on many wikis) run arbitrary JS, without needing
the 'editsitejs' right (normally restricted to interface admins).
Developers can use this language code to more easily check their code
for escaping issues / cross-site scripting vulnerabilities.
Bug: T340201
Change-Id: Ia9a1cf712b139fea5da72046e37035e6de39d8d5
The classes were already moved in change I62c701d574 (commit
051e127bdb).
Ideally, the tests should have a namespace, but the other tests in
/language are also unnamespaced, so let’s not do that yet.
Change-Id: Ieef8728a1f474ce6b16fa534c9697e1e89a4a36d
2023-07-28 15:23:06 +02:00
Renamed from tests/phpunit/includes/cache/MessageCacheTest.php (Browse further)
