Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/includes/htmlform
History
SomeRandomDeveloper 0699f46299 Revert "SECURITY: Escape rawElement $content" 
This reverts commit 596c2615de.

Reason for revert: This has already been fixed in
I7fe42df7b9a3fd97eaf89515b7c1afb5ae3e688c. This second patch does not
address the issue properly and causes strings to be double escaped that
should only be escaped once.

Full reasoning:
* The parameter is now marked as `@param-taint $buttonLabel exec_html`
  since the fix for T402313
* All callers outside of HTMLButtonField escape the label now
* There is another method call in HTMLButtonField, which passes the
  `buttonLabel` property to the function. This property is assigned
  in the following places:
** L63: Parsed message
** L67: String literal with a unicode character
** L69: Escaped string
** L72: Intentionally raw HTML string
** L126: `$this->getDefault()`, which will be escaped again in that line
   after this patch is reverted


Bug: T394396
Change-Id: Ifc982e93c3cf2b6658cb8943eb717cb7a2aea7f5
2025-10-03 22:08:24 +00:00
..
fields Revert "SECURITY: Escape rawElement $content" 2025-10-03 22:08:24 +00:00
CodexHTMLForm.php SECURITY: Escape submit button label for Codex-based HTMLForms 2025-10-02 19:36:28 +00:00
CollapsibleFieldsetLayout.php
HTMLForm.php htmlform: Allow MessageParam on HTMLForm::addButton for label-message 2024-10-26 23:12:51 +00:00
HTMLFormActionFieldLayout.php
HTMLFormElement.php htmlform: Add missing documentation to class properties 2024-09-14 11:49:05 +00:00
HTMLFormField.php htmlform: Add missing documentation to class properties 2024-09-14 11:49:05 +00:00
HTMLFormFieldLayout.php
HTMLFormFieldRequiredOptionsException.php
HTMLNestedFilterable.php
OOUIHTMLForm.php Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
VFormHTMLForm.php Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00