94f193a894
CVE-2025-32699 Ensure that Unicode NFC normalization can be applied to our HTML output safely. Even though the W3C officially recommends against normalizing HTML https://www.w3.org/International/questions/qa-html-css-normalization#converting this is still easily done inadvertently, especially when using the MediaWiki action API which normalizes parameters and results by default. See also I671648603c4635a35585c860b4857f5ea085e47f in Parsoid, and T266140 / I2e78e660ba1867744e34eda7d00ea527ec016b71 for another similar issue. The following changes are made: * The various HTML serializers (Remex/Tidy-derived, as well as the Html::* helpers) are tweaked to entity-escape U+0338 wherever it appears. * Similarly, Message::escaped() is tweaked to entity-escape U+0338. * Finally, a post-processing pass is added to the OutputTransform pipeline to catch any remaining U+0338 and entity-escape them. This catches U+0338 added during any of the previous OutputTransform stages (like TOC insertion, section edit links, etc). *When backporting* this code will likely need to be moved to ParserOutput::getText(), as the OutputTransform pipeline wasn't added until MW 1.42. Bug: T387130 Change-Id: I66564e14e730f5393f4fa5780b80f24de6075af5 |
||
|---|---|---|
| .. | ||
| data | ||
| docs | ||
| includes | ||
| integration/includes | ||
| maintenance | ||
| mocks | ||
| structure | ||
| suites | ||
| tests | ||
| unit | ||
| bootstrap.common.php | ||
| bootstrap.integration.php | ||
| bootstrap.maintenance.php | ||
| bootstrap.php | ||
| DynamicPropertyTestHelper.php | ||
| getPHPUnitExtensionsAndSkins.php | ||
| HamcrestPHPUnitIntegration.php | ||
| JsonSchemaAssertionTrait.php | ||
| MediaWikiCoversValidator.php | ||
| MediaWikiDeprecatedConfigPHPUnitExtension.php | ||
| MediaWikiGroupValidator.php | ||
| MediaWikiIntegrationTestCase.php | ||
| MediaWikiLangTestCase.php | ||
| MediaWikiLoggerPHPUnitExtension.php | ||
| MediaWikiPHPUnitResultPrinter.php | ||
| MediaWikiTeardownPHPUnitExtension.php | ||
| MediaWikiTestCaseTrait.php | ||
| MediaWikiUnitTestCase.php | ||
| MWTestDox.php | ||
| phpunit.php | ||
| README.md | ||
| ResourceLoaderTestCase.php | ||
| suite.xml | ||
| TestSelectQueryBuilder.php | ||
MediaWiki PHPUnit tests
WARNING: Integration tests may be destructive and alter or remove parts of your local database. We try to use temporary tables where possible, but you must never run tests on a production server or on a wiki where you don't want to lose data.
Running tests
If you haven't already, run composer update (specifically without --no-dev) in the MediaWiki core directory. This will install PHPUnit.
To read about how to run specific tests, refer to:
https://www.mediawiki.org/wiki/Manual:PHP_unit_testing/Running_the_tests
Writing tests
A guide to writing PHPUnit tests for MediaWiki can be found at: