In a default installation of Mediawiki, the article URLs use the URL GET
parameter "title" to construct the page title (index.php?title=Foo).
When a form is submitted, that parameter is added to the form as a
hidden field. Before this patch, it's added as last element of the form,
which makes the URL confusing. For example, when running a search on the
Lint errors, the URL becomes
index.php?pagename=Test&title=Special%3ALintErrors instead of starting
with title=Special:LintErrors as one would expect.
Note that this is not an issue on wikis that set their article path to
look like /wiki/Foo: in that case, the title of the page is not set as
a hidden field.
Change-Id: Id7c0617166754010cec987158e14ac54ddc94444
Using the constructor without the $context parameter was deprecated
in MediaWiki 1.38 in 97056794fc.
Bug: T308407
Change-Id: Id92adde978e70ffd6fa5d4a048d5d45c7ede4bf3
This edition brought to you by:
grep -ERIn $(grep -o "'[A-Za-z0-9_]*'" includes/MainConfigNames.php | tr
"\n" '|' | sed 's/|$/\n/') includes/
I only corrected a fraction of the results provided by that command. I'm
submitting the partial patch now so it doesn't bitrot.
Bug: T305805
Change-Id: If1918c0b3d88cdf90403921e4310740e206d6962
Make phan stricter about array keys
Remaining false positive issues are suppressed.
The suppression and the setting change can only be done together
Bug: T304887
Depends-On: I3105a5fd4826f8667b5232834defc5ec93be32a1
Depends-On: Ie9610a6e83731468311edb3ed17f80fc509de385
Change-Id: I701f12ab94478c3b8e7fd82110ade74a8e6b04ef
Some use cases like HistoryAction prefer the `index.php` form to keep
consistency, so they use setAction( wfScript() ) or something similar.
But the title is missing, so they hack it with manual addHiddenField()
or add a 'title' field in the descriptor. This is not good and prevents
us to warn the use of internal fields (title, wfEditToken).
Bug: T285464
Change-Id: Iaec81a2fb49162f2fc764f143f88e887572a3a0b
There is no reason to use loadData() only, and would unexpectedly skip
some necessary checks in prepareForm().
Some use cases are too old and didn't make use of the show() method
where should be available, which may be addressed in follow-up(s).
Bug: T256805
Change-Id: Ibbdc2c2c2b056342bb2c583a63546ac789b651d8
It was supposed to become required in 1.19, according to a code
comment (typo'ed in ead9055a).
There seem to be very few uses without the parameter out there (based
on a brief look at https://codesearch.wmcloud.org/), and most of them
are in tests, so they should be easy to find and correct.
Change-Id: I161cc342d1af813c281a6d9e30fdd85bc7b07578
I believe there is a mistake, since DefaultPreferencesFactory::cleanSignature() uses it as field data, which is the only filter applied in the core.
Change-Id: Ic7aa509a3e5fd3a3c717259d83d5bf0a26d3556a
Data of disabled fields wouldn't be sent to the server, which needs to load data from default.
Bug: T298614
Bug: T298819
Change-Id: I58f9df384df8ecc5ebae8cac68ec2251351bc984
Rename HTMLForm::[get|set|add][Pre|Post|Header|Footer]Text() to
HTMLForm::[get|set|add][Pre|Post|Header|Footer]Html() and
deprecate the old methods. Their arguments are rendered as raw
HTML so the old name was misleading.
Some of these are marked as stable to override and theoretically
the renaming could cause problems if callers are updated to the
new name while the overriding class is still using the old name,
but the only case known to codesearch is OOUIHTMLForm which is
also updated here.
Bug: T290771
Change-Id: I2c269eb6ab2b320fa2eef4ee8a226e96ad05fbe2
This name is consist with the rest of the setter and getter methods
in ParserOutput. Renamed the methods in OutputPage, ImageHistoryList,
ImageHistoryPseudoPager, and ContribsPager as well for consistency;
it also makes chasing down lingering references in codesearch easier.
Soft-deprecated the old name for 1.38. Hard-deprecation will follow,
but there are a number of users in production that should be chased
down first.
Code search:
https://codesearch.https://codesearch.wmcloud.org/deployed/?q=(allow%7Cprevent)Clickjacking&i=nope&files=&excludeFiles=&repos=
Bug: T287216
Change-Id: I9822c60c180d204bd30cb4447a1120155d456da4
The message keys by 'options-messages' are evaluated with
Message::plain(), but some situation needs Message::parse() to support
templates and HTML formatting in this values.
Bug: T58633
Change-Id: I8f52f21ae2641ddcad1aa85ce6bf14de1a09ab4b
Note that this changes the effective type of the protected mCancelTarget
field. This fields has no declared type, and does not seem to be used in
any subclass. The type of mTitle is not changed at this time, but
nothing seems to rely on that either.
Bug: T278459
Change-Id: I4bf0d46c74b53ffc9cb3e6e497c789ef6b3bab6a
Implements HTMLTagMultiselectField, a form field that instantiates
TagMultiselectWidget, the PHP representation of the OOUI's js-based
widget of the same name with the implemented parameters:
* allowArbitrary
* allowedValues
Bug: T278317
Change-Id: I3a6a30506d493be4185f917c577b3837fffd8ae1
single string is raw html,
not a message key as documented on HTMLForm::trySubmit
Also remove is_string, any truthy value would be implicit string casted
in HtmlForm::getErrorsOrWarnings
Reorder the if in HtmlForm to look similar to OOUI
Change-Id: I5b78b0df2cca695f8f5c6b08aa4d6c015d1fa1fe
Deconstructing non-sparse, numerically indexed arrays directly in
foreach (a.k.a. using the list() syntax in foreach) is possible since
PHP 5.5.
The possibility to use string array keys as well as non-sequential
numeric keys in array deconstruction was added in PHP 7.1.
Change-Id: I56a48552a45f61cedc291b306cad8548fc70d485
For example, documenting the method getUser() with "get the User
object" does not add any information that's not already there.
But I have to read the text first to understand that it doesn't
document anything that's not already obvious from the code.
Some of this is from a time when we had a PHPCS sniff that was
complaining when a line like `@param User $user` doesn't end
with some descriptive text. Some users started adding text like
`@param User $user The User` back then. Let's please remove
this.
Change-Id: I0ea8d051bc732466c73940de9259f87ffb86ce7a
The code that enables collapsible elements in 'mediawiki.page.ready'
may not run on special pages.
Bug: T260642
Change-Id: I4c5250f5b2575ec6699b99bf979c02e5ac16722d
Not working on Special:AbuseFilter for example
Skins can disable this module so special pages must
add it explicitly.
Bug: T260642
Change-Id: I51deedf9c60279b0917ab085fd7498edf55e93da
Migrate all callers of Hooks::run() to use the new
HookContainer/HookRunner system.
General principles:
* Use DI if it is already used. We're not changing the way state is
managed in this patch.
* HookContainer is always injected, not HookRunner. HookContainer
is a service, it's a more generic interface, it is the only
thing that provides isRegistered() which is needed in some cases,
and a HookRunner can be efficiently constructed from it
(confirmed by benchmark). Because HookContainer is needed
for object construction, it is also needed by all factories.
* "Ask your friendly local base class". Big hierarchies like
SpecialPage and ApiBase have getHookContainer() and getHookRunner()
methods in the base class, and classes that extend that base class
are not expected to know or care where the base class gets its
HookContainer from.
* ProtectedHookAccessorTrait provides protected getHookContainer() and
getHookRunner() methods, getting them from the global service
container. The point of this is to ease migration to DI by ensuring
that call sites ask their local friendly base class rather than
getting a HookRunner from the service container directly.
* Private $this->hookRunner. In some smaller classes where accessor
methods did not seem warranted, there is a private HookRunner property
which is accessed directly. Very rarely (two cases), there is a
protected property, for consistency with code that conventionally
assumes protected=private, but in cases where the class might actually
be overridden, a protected accessor is preferred over a protected
property.
* The last resort: Hooks::runner(). Mostly for static, file-scope and
global code. In a few cases it was used for objects with broken
construction schemes, out of horror or laziness.
Constructors with new required arguments:
* AuthManager
* BadFileLookup
* BlockManager
* ClassicInterwikiLookup
* ContentHandlerFactory
* ContentSecurityPolicy
* DefaultOptionsManager
* DerivedPageDataUpdater
* FullSearchResultWidget
* HtmlCacheUpdater
* LanguageFactory
* LanguageNameUtils
* LinkRenderer
* LinkRendererFactory
* LocalisationCache
* MagicWordFactory
* MessageCache
* NamespaceInfo
* PageEditStash
* PageHandlerFactory
* PageUpdater
* ParserFactory
* PermissionManager
* RevisionStore
* RevisionStoreFactory
* SearchEngineConfig
* SearchEngineFactory
* SearchFormWidget
* SearchNearMatcher
* SessionBackend
* SpecialPageFactory
* UserNameUtils
* UserOptionsManager
* WatchedItemQueryService
* WatchedItemStore
Constructors with new optional arguments:
* DefaultPreferencesFactory
* Language
* LinkHolderArray
* MovePage
* Parser
* ParserCache
* PasswordReset
* Router
setHookContainer() now required after construction:
* AuthenticationProvider
* ResourceLoaderModule
* SearchEngine
Change-Id: Id442b0dbe43aba84bd5cf801d86dedc768b082c7
The status object, which can be returned after validating an HTMLForm,
can contain message objects. These message objects can be constructed
with the full feature set provided by Message, e.g. raw parameters.
The handling of these status objects in HTMLForm basically prevented
some features of the Message object in the status, as it parsed the
messages through the Parser, which does not recognize these raw
parameters as such and escapes them wrongly.
This behaviour is fixed with this change.
Bug: T240774
Change-Id: I152ec51f317799572bf6791e110cd72c42da82a0
This was a server-side check that made certain <button> elements
render as <input> for IE6 and IE7. MediaWiki no longer offers
basic support for these browsers per RFC T232563.
Change-Id: Ibd27b6fda3929bf94a5362a0369b3744e42de121
"Other methods call done after that" should be "Other method calls
done after that" (though "Other methods called after that" would
work too.
Change-Id: I9fe8194647c134e6d2aea7b88c3fd4140ffb9883
Most of the original scope of this patch was implemented in 8665536045
What remains is to use the splat operator in the method signature as
well which is more readable than using func_get_args and doesn't annoy
phan. This is now possible, because we are no longer testing on HHVM and
these mocking in HHVM tests was the only place where this was broken.
Change-Id: I52912d1810b955b05cd17fab424f80c201883411
