[MediaWiki-commits] [Gerrit] Fix escapign of wikitext in monolingual values. - change (mediawiki...Wikibase)

Wed, 14 May 2014 02:04:35 -0700 

Daniel Kinzler has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/133215

Change subject: Fix escapign of wikitext in monolingual values.
......................................................................

Fix escapign of wikitext in monolingual values.

Change-Id: I24dbfdd3df64669e1362e5495b204853937934b9
---
M lib/includes/formatters/MonolingualHtmlFormatter.php
M lib/includes/formatters/WikibaseValueFormatterBuilders.php
M lib/tests/phpunit/formatters/MonolingualHtmlFormatterTest.php
3 files changed, 28 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Wikibase 
refs/changes/15/133215/1

diff --git a/lib/includes/formatters/MonolingualHtmlFormatter.php 
b/lib/includes/formatters/MonolingualHtmlFormatter.php
index 457d393..b599a80 100644
--- a/lib/includes/formatters/MonolingualHtmlFormatter.php
+++ b/lib/includes/formatters/MonolingualHtmlFormatter.php
@@ -3,7 +3,6 @@
 namespace Wikibase\Formatters;
 
 use DataValues\MonolingualTextValue;
-use ValueFormatters\FormatterOptions;
 use ValueFormatters\ValueFormatter;
 use ValueFormatters\ValueFormatterBase;
 use Wikibase\Utils;
@@ -30,7 +29,10 @@
                $textLang = $value->getLanguageCode();
                $textLangName = Utils::fetchLanguageName( $textLang, $userLang 
);
 
-               $msg = wfMessage( 'wikibase-monolingual-text', $text, 
$textLang, $textLangName );
+               $msg = wfMessage( 'wikibase-monolingual-text' )->params(
+                       wfEscapeWikiText( $text ),
+                       wfEscapeWikiText( $textLang ),
+                       wfEscapeWikiText( $textLangName ) );
                return $msg->parse();
        }
 
diff --git a/lib/includes/formatters/WikibaseValueFormatterBuilders.php 
b/lib/includes/formatters/WikibaseValueFormatterBuilders.php
index 41eadc5..91facdc 100644
--- a/lib/includes/formatters/WikibaseValueFormatterBuilders.php
+++ b/lib/includes/formatters/WikibaseValueFormatterBuilders.php
@@ -81,7 +81,7 @@
                SnakFormatter::FORMAT_WIKI => array(
                        'PT:url' => 'ValueFormatters\StringFormatter', // no 
escaping!
                        //'PT:wikibase-item' => 
'Wikibase\Lib\LocalItemLinkFormatter', // TODO
-                       'VT:monolingualtext' => 
'Wikibase\Formatters\MonolingualHtmlFormatter',
+                       //'VT:monolingualtext' => 
'Wikibase\Formatters\MonolingualWikitextFormatter', // TODO
                ),
 
                // Formatters to use for HTML display.
diff --git a/lib/tests/phpunit/formatters/MonolingualHtmlFormatterTest.php 
b/lib/tests/phpunit/formatters/MonolingualHtmlFormatterTest.php
index 68d8411..e89c5a3 100644
--- a/lib/tests/phpunit/formatters/MonolingualHtmlFormatterTest.php
+++ b/lib/tests/phpunit/formatters/MonolingualHtmlFormatterTest.php
@@ -25,11 +25,16 @@
         *
         * @covers HtmlUrlFormatter::format()
         */
-       public function testFormat( $value, $options, $pattern ) {
+       public function testFormat( $value, $options, $pattern, $not = '' ) {
                $formatter = new MonolingualHtmlFormatter( $options );
 
                $text = $formatter->format( $value );
-               $this->assertRegExp( $pattern, $text );
+
+               if ( $not === 'not' ) {
+                       $this->assertNotRegExp( $pattern, $text );
+               } else {
+                       $this->assertRegExp( $pattern, $text );
+               }
        }
 
        public function urlFormatProvider() {
@@ -37,11 +42,26 @@
                $options->setOption( ValueFormatter::OPT_LANG, 'en' );
 
                return array(
-                       array(
+                       'formatting' => array(
                                new MonolingualTextValue( 'de', 'Hallo Welt' ),
                                $options,
                                '@^<span lang="de".*?>Hallo 
Welt<\/span>.*\((German|Deutsch)\).*$@'
                        ),
+                       'html/wikitext escaping' => array(
+                               new MonolingualTextValue( 'de', 
'[[Hallo&Welt]]' ),
+                               $options,
+                               '@^<span 
.*?>(\[\[|&#91;&#91;)Hallo(&amp;|&#38;)Welt(\]\]|&#93;&#93;)<\/span>.*$@'
+                       ),
+                       'evil html' => array(
+                               new MonolingualTextValue(
+                                       '" onclick="alert(\'gotcha!\')"',
+                                       
'Hallo<script>alert(\'gotcha!\')</script>Welt'
+                                               .'<a 
href="javascript:alert(\'gotcha!\')">evil</a>'
+                               ),
+                               $options,
+                               '@^<script |(<span |lang="" )onclick="alert|<a 
$@',
+                               'not'
+                       ),
                );
        }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/133215
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I24dbfdd3df64669e1362e5495b204853937934b9
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Wikibase
Gerrit-Branch: master
Gerrit-Owner: Daniel Kinzler <daniel.kinz...@wikimedia.de>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to