733d19d0d0
Before change I98df55f2 it was possible to set arbitrary preferences (ie. with anything as the key) using the action=options API. That change removed this ability by enforcing full validation of the preferences, also introducing several regressions which were fixed by follow-ups. Per the discussion on bug 40124, this changeset aims to restore this ability, but in a slightly restricted way: arbitrary preferences' names must start with userjs- prefix, to avoid any possibility of conflicting with new MediaWiki versions or extensions. The contents of these preferences is not escaped, sanitized nor validated in any way; script authors are expected to sanitize them themselves to prevent XSS attacks and other security vulnerabilities. This commit also adds the User::getOptionsKinds() method (to determine whether given preference keys are used by MediaWiki itself or an extension, intended to be used via the API, or entirely unknown) and enhances the User::resetOptions() method to allow for resetting only preferences of chosen kinds. These changes allow for fixing of Special:Preferences not to clear those additional fields when saving user settings. Change-Id: I5f9ba5b0dfe7c2ea5458d836f03429cf6d93969d |
||
|---|---|---|
| .. | ||
| format | ||
| ApiAccountCreationTest.php | ||
| ApiBlockTest.php | ||
| ApiEditPageTest.php | ||
| ApiGeneratorTest.php | ||
| ApiOptionsTest.php | ||
| ApiParseTest.php | ||
| ApiPurgeTest.php | ||
| ApiQueryRevisionsTest.php | ||
| ApiQueryTest.php | ||
| ApiTest.php | ||
| ApiTestCase.php | ||
| ApiTestCaseUpload.php | ||
| ApiUploadTest.php | ||
| ApiWatchTest.php | ||
| generateRandomImages.php | ||
| PrefixUniquenessTest.php | ||
| RandomImageGenerator.php | ||
| words.txt | ||