This requires minor changes in various parts of MediaWiki, and
being extra careful about cached rendered pages' HTML.
Fun fact: editsection links are not made in Parser. They're made in
Linker, in Skin *and* in ParserOutput.
Client-side code and screen-scrapers will have to be adjusted to
handle both cases (old HTML will still be visible on cached page
renders until they are purged); extensions using the DoEditSectionLink
or EditSectionLink hooks might need adjustments as well.
* Linker: Change the HTML of pages to move the link itself from the
beginning of the heading (before <span class="mw-headline">) to the end
of the heading (after the span).
* Skin: Change the class from .editsection to .mw-editsection; we use this
opportunity to clean up old cruft, and this makes it much easier to
handle cached renders (by just detecting the old class).
* ParserOutput: Implement a horrible hack to support cached parser
outputs with the old order of items.
* Ensure everything that should support both classes supports both
classes (this includes print stylesheets and some scripts).
* Implement styles for the new look for all the skins (did this in
shared.css; the styles are non-intrusive and can be overridden
easily, and all of the skins were using the same look before).
Change-Id: I6a6c12a90de3604012420b20c1f520e0ece170ab
If the editfont preference somehow had a value like "foo; color: blue",
we have a CSS injection problem. Normally preference validation should
protect against that, but the API module for setting preferences doesn't
perform any validation.
Change-Id: I5c12aa9a48bf4f6ea4a8fb44554d13189e7757fb
* (bug 35317) CSRF in Special:Upload
Revert r56793, which removed the CSRF check for Special:Upload for normal file
uploads. Cross-site posting of file uploads without user interaction has been
possible since at least as early as Chrome 8 (late 2010) and Firefox 6 (mid
2011).
Commonist has used api.php since version 0.4.0 (April 2010), and the API
already requires an edit token, so Commonist 0.4.0+ is not affected by this
change.
* (bug 34907) Fix for CSRF vulnerability due to mw.user.tokens. Patch by Roan
Kattouw and Tim Starling.
* Filter out private modules early in ResourceLoader::makeResponse() and just
pretend they weren't specified. This means these modules cannot be loaded
through load.php . This filtering must not happen in makeModuleResponse(),
because that would break inlining.
* Force inlining of private modules in OutputPage::makeResourceLoaderLink(),
disregarding $wgResourceLoaderInlinePrivateModules
* Remove $wgResourceLoaderInlinePrivateModules
* Remove special treatment of private modules ($private) in
ResourceLoader::makeResponse() and sendResponseHeaders(), because we're not
allowing private modules to be loaded through here any more
* Remove identity checks in ResourceLoaderUserOptionsModule and
ResourceLoaderUserCSSPrefsModule, they didn't make a lot of sense before but
they're certainly useless now.
* Factored out error comment construction in ResourceLoader.php and stripped
comment terminations from exception messages. I didn't find an XSS
vulnerability but it looked scary.
Patchset2:
Removes whitespace error that prevented automatic merge by Gerrit:
includes/resourceloader/ResourceLoaderUserOptionsModule.php
Change-Id: I2dec8b8caf9db3c64919763865cc10cccdd6a1a3
