Smuggli has uploaded a new change for review. https://gerrit.wikimedia.org/r/150245
Change subject: Readded escaping of highlight snippets ...................................................................... Readded escaping of highlight snippets Snippets somehow could contain html Change-Id: Ibb5a19ef33b824ab1d148323cb821762ef9ed9bd --- M ExtendedSearch/views/view.ExtendedSearchResultEntry.php M ExtendedSearch/views/view.SearchResult.php 2 files changed, 3 insertions(+), 30 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/BlueSpiceExtensions refs/changes/45/150245/1 diff --git a/ExtendedSearch/views/view.ExtendedSearchResultEntry.php b/ExtendedSearch/views/view.ExtendedSearchResultEntry.php index d5865f5..611f19d 100644 --- a/ExtendedSearch/views/view.ExtendedSearchResultEntry.php +++ b/ExtendedSearch/views/view.ExtendedSearchResultEntry.php @@ -34,7 +34,10 @@ $sOut = ''; foreach ( $aSnippets as $sFrag ) { if ( empty( $sFrag ) ) continue; + $sFrag = htmlspecialchars( $sFrag, ENT_QUOTES, 'UTF-8' ); + $sFrag = str_replace( array( '<em>', '</em>' ), array( '<em>', '</em>' ), $sFrag ); $sOut .= $sFrag . '<br />'; + } return $sOut; } diff --git a/ExtendedSearch/views/view.SearchResult.php b/ExtendedSearch/views/view.SearchResult.php index 6bb104d..874fe28 100644 --- a/ExtendedSearch/views/view.SearchResult.php +++ b/ExtendedSearch/views/view.SearchResult.php @@ -29,11 +29,6 @@ */ protected $sOut = ''; /** - * List of messages to be rendered. - * @var array List of strings. - */ - protected $aMessages = array(); - /** * Contain view for search entry. * @var ViewExtendedSearchResultEntry View for search entry. */ @@ -75,33 +70,11 @@ } /** - * Adds a message to be displayed. - * @param string $key Key for the message. - * @param string $message The message in HTML. - */ - public function addMessage( $key, $message ) { - $this->aMessages[$key] = $message; - } - - /** * Adds additional output to page. * @param string $aOutputToAdd HTML that shall be displayed. */ public function addOutput( $aOutputToAdd ) { $this->out .= $aOutputToAdd; - } - - /** - * Prepares a message for direct output. - * @param string $message The message that should be prepared. - * @return string The modified message. - */ - protected function secureMessage( $message ) { - $search = array( "<b>", "</b>", "<i>", "</i>" ); - $replace = array( "<b>", "</b>", "<i>", "</i>" ); // these tags may be contained in i18n messages - $secure = htmlentities( $message, ENT_QUOTES, 'UTF-8' ); - - return str_replace( $search, $replace, $secure ); // primitive whitelisting } /** @@ -111,8 +84,6 @@ public function execute( $param = false ) { $aOut = array(); $aOut[] = parent::execute(); - foreach ( $this->aMessages as $message ) - $aOut[] = '<p>'.$this->secureMessage( $message )."</p>\n"; // primitive whitelisting $aOut[] = $this->sOut; if ( !empty( $this->aResultEntryView ) ) { @@ -294,7 +265,6 @@ $sDirectionMessage = ( $aSorting['sortdirection'] == 'asc' ) ? wfMessage( 'bs-extendedsearch-ascending' )->plain() : wfMessage( 'bs-extendedsearch-descending' )->plain(); - global $wgScriptPath; $sIcon .= '" title="' . $sDirectionMessage . '" alt="' . $sDirectionMessage . '" />'; -- To view, visit https://gerrit.wikimedia.org/r/150245 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibb5a19ef33b824ab1d148323cb821762ef9ed9bd Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/BlueSpiceExtensions Gerrit-Branch: master Gerrit-Owner: Smuggli <mug...@hallowelt.biz> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits