There is no need to escape double quotes in content of XML.
Html::element() also does not escape double quotes in content.
ENT_NOQUOTES escapes '<', '>' and '&' but not "'" and '"'.
https://secure.php.net/manual/en/function.htmlspecialchars.php
Change-Id: I3b585c43e532cca1a8951d6c9e8b4825fc3b012d
Since 2008 the API has truncated with a warning when too many values are
passed to a multi-valued parameter. It's long past time to make this an
error.
Bug: T41936
Change-Id: I0f9efbdf9230373fa0c175a7fcacbca68225cf40
This is a bit more interoperable than trying to roll our own by using
Title::makeTitleSafe().
We still need to handle IP addresses separately, of course.
Bug: T194916
Change-Id: Ie3900d768cbe15aef079b97d91f7fd23dc7c3e26
With MCR coming up, ApiEditPage is going to need to be able to take
"text" and "contentmodel" parameters for each slot-role, and enumerating
such parameters for every possible slot would probably get rather
confusing as to what is required when, or at least long-winded in
repeating the exact same thing for every possible role.
So let's abstract it: we'll have an "editroles" parameter to specify which
slots are being edited, and ApiEditPage will just declare that
"text-{role}" and "contentmodel-{role}" parameters should exist for each
value of "editroles" in the submission.
Note this patch doesn't introduce anything that uses templated
parameters, just the functionality itself. For testing purposes you
might cherry pick I2d658e9a.
Bug: T174032
Change-Id: Ia19a1617b73067bfb1f0f16ccc57d471778b7361
Follows-up d3da5e08d3, which broke PHP 7.1 and PHP 7.2 test jobs.
This isn't about logic in ApiBase, but about PHP's str-to-int
logic which actually varies between PHP5 and PHP7.
One maps it to 1000, the other as strict int 1 (with non-numerical
text chopped off, the same as it would for 1foo).
If we want to support 1e3 as part of the API itself, then we'd
need to parse it ourselves and then add the test back.
Bug: T192425
Change-Id: I6fc43f29425749a1abe785fefa312db6a98ea7cd
The siteinfo API response's 'writeapi' value is now hard-set to true,
as are the ResourceLoader variables wgEnableAPI and wgEnableWriteAPI,
to be deprecated later.
Bug: T115414
Change-Id: I54ff9428b247ba203d67aba079149393f323d5a9
One bug caught: the watch and unwatch params were not being honored.
They have now been removed.
Depends-On: Ia21a974f2b463afc9324182137b95c80db86a6aa
Change-Id: I0e214339c9ae3f0fb5a40c88a84190bc32503151
Fixed bug: in PHP versions less than 5.6.0, any request that didn't
attempt to add any groups would warn, because it would call array_fill()
with the second argument (num) equal to 0. From PHP 5.6.0, the num
argument to array_fill() is allowed to be 0.
Change-Id: I0c5772f15d8f550dc43fb37c3c58d15dd73ea584
Also removed a sketchy-looking usage of ?: with a string in
ApiParse.php. In this case I think it was fine, because it would only
cause a bug if a page's display title was '0' but its actual title was
not '0', which is only possible if $wgRestrictDisplayTitle is false,
which is broken by design anyway and I don't think is worth testing.
But ?: used for something that should be interpreted as a string is
generally not a good idea.
One bug fixed: an error message that used an undefined variable.
Depends-On: Id0e6184aff8f9d7e8f32558e1de14faa0168cc1d
Change-Id: I0904bff0f9d80892d0db2ebb590c24fb862f2418
One bug fixed: if ApiCheckCanExecute returned false but didn't set
$message, we would try to output a message of false, which would throw
an exception.
Change-Id: Ib06970e280d750ff57d81672f1b365167b93aa3e
One bug fixed: a timestamp of '00' or similar would get interpreted as
'now' by mistake instead of Unix timestamp 0, without throwing the
warning for using 0 instead of 'now'. This is because it called
wfTimestamp() once to parse the input date, got a Unix timestamp of 0
back, and then tried passing that 0 back to wfTimestamp again to
reformat as a wiki date, but it got reinterpreted as 'now'.
Also fixed parameters with type "user" to validate usernames more
correctly. This might be risky, though, if I missed any valid
usernames, or if API clients were for some reason relying on passing in
invalid usernames. If we don't actually want to do this, we should add
a comment explaining why we're allowing any title without a fragment
rather than validating properly.
Still lots more work to do here.
Change-Id: I56b4290263df8698efdbddda71a7eabd9e303abc
Bugs fixed:
* The major one was that appendtext and prependtext seemingly didn't
work at all on empty pages in the MediaWiki namespace, because
$this->getTitle() was being used in place of $titleObj.
* Negative undo/undoafter were not rejected in a correct fashion.
* If a logged-in user who was not allowed to upload images tried to
create an image redirect, the error message used a nonexistent key.
I also replaced assertEquals with assertSame.
I also removed a bit of clearly dead code. This includes a "break"
following dieStatus(). If we actually want this break so that nobody
adds a case after the default and then removes the dieStatus() so the
switch incorrectly falls through, it could be re-added with
@codeCoverageIgnore.
I put the fixes in the same commit as the test changes because I like to
keep fixes together with the tests for those fixes.
All code now shows up as covered locally, except for one line that seems
to be a PHPUnit bug.
Change-Id: I9375bc5f40268fd681a2d447c66a03f40b23390a
The difference between two integers is less than 1 only if it's 0, so
the test as-is will fail whenever the second changes between when '1
day' is evaluated when inserting the block, and when time() is called
for the assert.
Change-Id: Ic76ff05729129b74345696879a934253525213fa
The code coverage tool still reports that line 50 ("$status,") is not
covered, but this is just a parameter to a function that is in fact
called and does show up as covered, so I'm pretty sure it's a bug.
I replaced a couple of sanity checks that reported "incomplete" on
failure with actual assertions so that the test would fail properly if
the sanity check failed.
The testing could still probably be expanded considerably.
Change-Id: Ib6ba7227af23bcb50c7e3bafb0b51395e8acf03f
Still missing a test for file deletion, because I didn't figure out a
simple way to create a file page that I can test on.
Change-Id: I276e84b4f7777e5dd5be5520e572b9b9bb0c0633
I only made one small addition, because I don't understand login/session
code well enough to easily do more.
Change-Id: I36c5ea8e31fb00d75da24c38381f74ba8a15f31a
* Convert OutputHandler.php from global functions to a class.
- wfOutputHandler → OutputHandler::handle
(no alias, no usage outside core)
- wfGzipHandler → OutputHandler::handleGzip
(private, no usage outside class)
- wfRequestExtension → OutputHandler::findUriExtension
(private, no usage outside class)
- wfMangleFlashPolicy → OutputHandler::mangleFlashPolicy
(private, no usage outside class)
- wfDoContentLength → OutputHandler::emitContentLength
(private, no usage outside class)
- wfHtmlValidationHandler → OutputHandler::validateAllHtml
(private, no usage outside class)
* Add the class to autoload.php for exposure outside WebStart.
Specifically, for use in ApiFormatPhpTest. This also removes the
need to manually load the class because this code runs after
Setup.php loads AutoLoader.php.
Bug: T189966
Change-Id: I27a41ec0ae0ee30aeb313a616323b967605c4055
Locally this reports that everything is covered, although the get*()
functions are not registering at all (white backgrounds).
Change-Id: I73fabfb33b329dc3416368fda52d35f7ee6a4a18
Storing the user name or IP in every row in large tables like revision
and logging takes up space and makes operations on these tables slower.
This patch begins the process of moving those into one "actor" table
which other tables can reference with a single integer field.
A subsequent patch will remove the old columns.
Bug: T167246
Depends-On: I9293fd6e0f958d87e52965de925046f1bb8f8a50
Change-Id: I8d825eb02c69cc66d90bd41325133fd3f99f0226
The return value for ApiFormatBase::getFilename() was formerly
documented as "must be encoded for inclusion in a Content-Disposition
header's filename parameter." While this is ok for the common use case
where the module is returning a constant string or can assume whatever
it gets back from getExtensionsForType() is ok, it's not in general a
good idea to make all callers handle that.
Further, it's not possible to represent characters outside of the
ISO-8859-1 character set in a 'filename' parameter. You have to use
'filename*' to do that (see RFC 5987 and RFC 6266).
So, this patch changes the definition of getFilename() to remove the
encoding requirement, and adds code to properly convert and escape the
value for the 'filename' and (if necessary) 'filename*' parameters.
Note this may give unexpected results (double encoding) if any module
actually is returning an encoded filename. I don't see any such cases in
core or in extensions in Gerrit.
Change-Id: I0c2749a847b639f228efff4e1917a61612a1f7d1
This allows to response with an invalidreason instead silently ignore
the parameter.
Example request: api.php?format=json&action=query&titles=%20
Response before this change:
{
"batchcomplete": ""
}
Response with this change:
{
"batchcomplete": "",
"query": {
"pages": {
"-1": {
"title": " ",
"invalidreason": "The requested page title is empty or contains only the name of a namespace.",
"invalid": ""
}
}
}
}
Bug: T185846
Change-Id: I6fdaf32792a0e6e37b08176f975c10607093351b
It is the job of git and svn to provide this information/metadata.
The form was different, some with short, some with long month name
some with leading zero at the day, some without.
The year is also present in the Copyright clause
Change-Id: If006907b82b9e45f13cfa2e45d41107a95570e1a
Ensuring proper behavior of the base class lets comprehensive tests of
subclasses be simpler.
This also adjusts ApiFormatTestBase to be a bit more usable, passing an
array of options through to encodeData() instead of just a class name.
And removes the unused 'SKIP' from testGeneralEncoding, but allows
expecting an exception (for use in I63ce42dd).
Change-Id: Ib2a1fa0b04860b09105376881ff8411f9534c453
This adds 'sanity check' message for one of asserts so it is more
clear that it is asserting a precondition.
Change-Id: I10d36c1bf69effd7bd83f4a2259144e9f6e114fc
Clean up use of @codingStandardsIgnore
- @codingStandardsIgnoreFile -> phpcs:ignoreFile
- @codingStandardsIgnoreLine -> phpcs:ignore
- @codingStandardsIgnoreStart -> phpcs:disable
- @codingStandardsIgnoreEnd -> phpcs:enable
For phpcs:disable always the necessary sniffs are provided.
Some start/end pairs are changed to line ignore
Change-Id: I92ef235849bcc349c69e53504e664a155dd162c8
The deprecated diffing in prop=revisions and such used a 'rvsection'
parameter. To enable migration of things using that, action=compare
needs corresponding section parameters.
Bug: T183823
Change-Id: If1a0e2df614c083b37640418c69cca367ce0e895
These tests apply to things that are not relevant to PHP code coverage,
such as testing presence of messages, JSON files, or the PHPUnit tests
themselves.
Using @coversNothing indicates that there is no code here to be covered,
and prevents warnings when using --strict-coverage mode (T152923).
Change-Id: Id89ee2c15a3ce3f10e34b13fb677cd1af75af9e6
This patch does two major things to the newly introduced
ApiQueryRecentChangesIntegrationTest:
* It rips the confusingly complicated assertArraySubsetsEqual appart.
* It removes all wikitext content. Note that no assertion is done on this
content (not even in the test that is about adding a category). The tests
run just fine with automatically generated content. I had to introduce the
$i counter to make sure consecutive edits are done with different content.
Otherwise the later edit is not stored.
Change-Id: Iae585be86f3fd9bff7d2b4b7b218d5b0b4258603
Quoting PHPUnit docs:
The $index parameter for the at() matcher refers to the index,
starting at zero, in all method invocations for a given mock object.
Exercise caution when using this matcher as it can lead to brittle
tests which are too closely tied to specific implementation details.
Indeed these test cases would break horribly with unintuitive error
messages ("Mocked method does not exist") if anything in preferences
or API code called any additional methods on the mocked user. For
example, it relied on the caching in Preferences::getPreferences(),
which is being removed in I92390120a16448383a25e9ba2dd35a434a2f21bf.
I'm pretty sure all that matters here is that all the setOption()
calls with different arguments happen, so let's test just that.
Change-Id: I30a814151a006e5f147eebb918344049807b2b97
Follows-up 90c95fc7f2, which included result of Skin::getDefaultModules
in the prop=modules list. All hardcoded modules in OutputPage and Parser
were also subsequently moved into Skin::getDefaultModules.
However, a number of modules cannot be moved there because fundamentally
Skin::getDefaultModules can only load modules via OutputPage::addModules().
For style modules, addModuleStyles() must be used.
Fortunately, there is already a centralised place for that, namely
Skin::setupSkinUserCss(). Include that in the ApiParse return as well.
That should resolve the last bit of inconsistency between ApiParse
and OutputPage when it comes to the module queue.
Bug: T140664
Change-Id: I35e2e3bbdccdd1aa2a259b8e624daa80c609ba8c
Fatal error was happening due to the fact that ApiUsageException was
trying to call `getMessage()` on StatusValue which doesn't have this
method.
Change-Id: Idd9c7d47d9e24a6a32db6daf75a827bf958c9b76
MWNamespace has three internal caches, only one of which can be cleared
(and that somewhat oddly by passing a boolean to
MWNamespace::getCanonicalNamespaces()).
This change introduces a MWNamespace::clearCaches() method to clear all
three caches. It also adds some resetting in tests that seemed to be
missing it.
Change-Id: I1dcfcd8713888b3ff8fc75e95329ba72bd95d0c9
The used phpcs has a bug, so the version 0.9.0 could not be enforced at the moment.
Will be fixed in next version, see T167168
Changed:
- Remove duplicate newline at end of file
- Add space between function and ( for closures
- and -> &&, or -> ||
Change-Id: I4172fb08861729bccd55aecbd07e029e2638d311
Now that ParserOptions->isSafeToCache() exists, use it where necessary.
This also moves the use inside the makeParserOptions() method so other
callers can pick it up as well.
Then pass the flag as $forceParse into WikiPage::getParserOutput()
instead of duplicating the logic in several cases, and generally clean
up the logic in the module to let WikiPage decide when to use the cache
in more cases.
Change-Id: I0079e10a40997e4a3b59ac21ef6c92246a147736
Support diffing deleted revisions, user-supplied text, and additional
properties about the diffed revisions such as the user and edit summary.
Bug: T20189
Bug: T30047
Bug: T164529
Change-Id: I5565d717d9c2fd19da7cae02890a15e244cc238b
If the load() triggered by User method calls fails, then mId becomes 0
which means there is no "user" right set in getAutomaticGroups().
Bug: T75174
Change-Id: I2d719e4b96c0142e9d408aa2d4f7c5e7a767a754
Replaces \TestingAccessWrapper (defined in core) with
\Wikimedia\TestingAccessWrapper (defined in the composer package
wikimedia/testing-access-wrapper).
See https://gerrit.wikimedia.org/r/#/q/topic:librarize-testing-access-wrapper
for downstream patches.
The core version of the class is kept around for a while to avoid
circular dependency problems.
Bug: T163434
Change-Id: I52cc257e593da3d6c3b01a909e554a950225aec8
The default will remain PHPUnit 4.x due to PHP 5.5 support.
But, we should allow developers to run tests with newer PHPUnit
versions which are noticably faster (especially for code coverage
reports).
* <https://github.com/sebastianbergmann/phpunit/wiki/Release-Announcement-for-PHPUnit-5.4.0>
PHPUnit 5 deprecates the getMock() shortcut for getMockBuilder()->getMock().
It instead introduces the shortcut createMock() which has better defaults
than getMockBuilder(). For example, it sets 'disableArgumentCloning' and
other things by default.
Going forward, code should either use getMockBuilder directly and configure
it using the setter methods (instead of the confusing variadic arguments
of getMock) or simply use the new minimalistic createMock method. This patch
backports the createMock method to MediaWikiTestCase so that we can start
using it.
Change-Id: I091c0289b21d2b1c876adba89529dc3e72b99af2
API tests are all subclasses of MediaWikiLangTestCase, which overrides
the content language when the tests are actually running. So we need to
always use 'en' to match that.
Bug: T162007
Change-Id: Ie001576fb62ae88c9141e471fd8fcbc49592be32
For example Special:MyPage, Special:MyTalk, and Special:MyLanguage.
Don't follow other redirect special pages like Special:MyContributions,
though, because the following only really makes sense when the redirect
is to an article.
Bug: T145541
Change-Id: I8c8065552ed128017887e48285e359def8bd3cd3
