Doxygen documentation update:
* Changed alls @addtogroup to @ingroup. @addtogroup adds the comment to the group description, but doesn't add the file, class, function, ... to the group like @ingroup does. See for example http://svn.wikimedia.org/doc/group__SpecialPage.html where it's impossible to see related files, classes, ... that should belong to that group.
* Added @file to file description, it seems that it should be explicitely decalred for file descriptions, otherwise doxygen will think that the comment document the first class, variabled, function, ... that is in that file.
* Removed some empty comments
* Removed some ?>
Added following groups:
* ExternalStorage
* JobQueue
* MaintenanceLanguage
One more thing: there are still a lot of warnings when generating the doc.
* Using preg_replace rather than ereg_replace in formatHTML() (faster according to php.net)
* Correcting grammatical error in Title::userIsWatching() description
format=raw is an HTML injection machine like action=raw but without any safeguards; it's trivial to create JavaScript exploits which hit at least Internet Explorer.
There's no reason to add a whole new danger point here when you've got machine-readable structure already... please do not add this raw formatter back.
* De-escape & to & rather than & to & -- guarantees that we won't leave stray &s around producing invalid or freaky output
* Use == instead of = when comparing... :)
breaking change: Query watchlist shows flags only when explicitly requested with wlparam=flags, and rc_this_oldid (textid) is no longer accessible
query watchlist cleanup
bug in the integer parameter min/max validation
bug in feed formatting in error handling
some documentation
* breaking change: Converted a map of revisions into a list of revisions to allow easier json processing (no need to know map keys)
* html formatting now properly links urls ending with a '\n' string (jsonfm)
* regression: fixed allpages to return int instead of string for pageid and ns
* Added: info now returns page length, counter, and a new flag
* Add @addtogroup tags to various classes, to try and group conceptually-related classes together.
* Add brief descriptions to various Special pages, thanks to Phil Boswell.
* Moving some docs to be right above the classes they represent, so that they are picked up.
* Create magic links only using a whitelist of protocols.
Have no proof of vuln, but allowing the user to make JavaScript links and have a lot of control over what goes into them probably isn't desirable.
Example attack input:
http://en.wikipedia.org/w/api.php?action=query&meta=javascript://**/alert(1);
Example pre-patch HTML output contains this string:
<a href="javascript://**/alert">javascript://**/alert</a>(1);
Which doesn't work, due to:
1) the double slash - one slash someone can work around by faking a C-style comment (by appending "**/" as shown above), but two is a problem
2) the parentheses being excluded, so we can't pass parameters
... but best to put a stop to it anyway.
* API: added experimental watchlist rss/atom feed
* API: if available, json_encode() will be used
* API: opensearch parameter changed to "search=" (more descriptive)
* API: minor parameter cleanup, a wrapper for Feed class
