Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/includes/htmlform/fields
History
SomeRandomDeveloper 0699f46299 Revert "SECURITY: Escape rawElement $content" 
This reverts commit 596c2615de.

Reason for revert: This has already been fixed in
I7fe42df7b9a3fd97eaf89515b7c1afb5ae3e688c. This second patch does not
address the issue properly and causes strings to be double escaped that
should only be escaped once.

Full reasoning:
* The parameter is now marked as `@param-taint $buttonLabel exec_html`
  since the fix for T402313
* All callers outside of HTMLButtonField escape the label now
* There is another method call in HTMLButtonField, which passes the
  `buttonLabel` property to the function. This property is assigned
  in the following places:
** L63: Parsed message
** L67: String literal with a unicode character
** L69: Escaped string
** L72: Intentionally raw HTML string
** L126: `$this->getDefault()`, which will be escaped again in that line
   after this patch is reverted


Bug: T394396
Change-Id: Ifc982e93c3cf2b6658cb8943eb717cb7a2aea7f5
2025-10-03 22:08:24 +00:00
..
HTMLApiField.php
HTMLAutoCompleteSelectField.php
HTMLButtonField.php Revert "SECURITY: Escape rawElement $content" 2025-10-03 22:08:24 +00:00
HTMLCheckField.php
HTMLCheckMatrix.php
HTMLComboboxField.php
HTMLDateTimeField.php
HTMLEditTools.php
HTMLExpiryField.php
HTMLFileField.php
HTMLFloatField.php
HTMLFormFieldCloner.php
HTMLFormFieldWithButton.php
HTMLHiddenField.php
HTMLInfoField.php
HTMLIntField.php
HTMLMultiSelectField.php
HTMLNamespacesMultiselectField.php
HTMLRadioField.php
HTMLRestrictionsField.php
HTMLSelectAndOtherField.php
HTMLSelectField.php
HTMLSelectLanguageField.php
HTMLSelectLimitField.php
HTMLSelectNamespace.php
HTMLSelectNamespaceWithButton.php
HTMLSelectOrOtherField.php
HTMLSizeFilterField.php
HTMLSubmitField.php
HTMLTagFilter.php
HTMLTagMultiselectField.php
HTMLTextAreaField.php
HTMLTextField.php
HTMLTextFieldWithButton.php
HTMLTimezoneField.php
HTMLTitlesMultiselectField.php
HTMLTitleTextField.php
HTMLToggleSwitchField.php
HTMLUsersMultiselectField.php
HTMLUserTextField.php SECURITY: Escape usernames in HTMLUserTextField validation errors 2025-06-30 20:57:16 +01:00