[MediaWiki-commits] [Gerrit] renderer.article: Use .html() instead of .text() in getProce... - change (mediawiki...Popups)

Thu, 26 Mar 2015 01:16:15 -0700 

Prtksxna has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/199840

Change subject: renderer.article: Use .html() instead of .text() in 
getProcessesElements
......................................................................

renderer.article: Use .html() instead of .text() in getProcessesElements

Both the title and the extract are being html escaped thus producing
string like ' and " when used with .text()

Moving to html() solves this problem without jeopardizing the XSS
attack test case as both strings were already escaped.

This undoes parts of I02222bbff84532f63cac67af1bf889c328ec6ff2 and
thus also partially affects T76378.

Bug: T93720
Change-Id: I6bbc52e427dc636b7b0be1ad4f749d9273ff61b3
---
M resources/ext.popups.renderer.article.js
M tests/qunit/ext.popups.renderer.article.test.js
2 files changed, 9 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Popups 
refs/changes/40/199840/1

diff --git a/resources/ext.popups.renderer.article.js 
b/resources/ext.popups.renderer.article.js
index 728606b..d1f8334 100644
--- a/resources/ext.popups.renderer.article.js
+++ b/resources/ext.popups.renderer.article.js
@@ -171,7 +171,7 @@
 
                $.each( extract, function ( index, part ) {
                        if ( part.indexOf( boldIdentifier ) === 0 ) {
-                               elements.push( $( '<b>' ).text( part.substring( 
boldIdentifier.length ) ) );
+                               elements.push( $( '<b>' ).html( part.substring( 
boldIdentifier.length ) ) );
                        } else {
                                elements.push( part );
                        }
diff --git a/tests/qunit/ext.popups.renderer.article.test.js 
b/tests/qunit/ext.popups.renderer.article.test.js
index 9d1622e..0e33c94 100644
--- a/tests/qunit/ext.popups.renderer.article.test.js
+++ b/tests/qunit/ext.popups.renderer.article.test.js
@@ -2,7 +2,7 @@
 
        QUnit.module( 'ext.popups' );
        QUnit.test( 'render.article.getProcessedElements', function ( assert ) {
-               QUnit.expect( 12 );
+               QUnit.expect( 13 );
 
                function test ( extract, title, expected, msg ) {
                        var $div = $( '<div>' ).append(
@@ -73,11 +73,17 @@
 
                test(
                        'Foo\'s pub is a pub in Bar', 'Foo\'s pub',
-                       '<b>Foo&amp;#039;s pub</b> is a pub in Bar',
+                       '<b>Foo\'s pub</b> is a pub in Bar',
                        'Correct escaping'
                );
 
                test(
+                       '\"Heroes\" is a David Bowie album', '\"Heroes\"',
+                       '<b>\"Heroes\"</b> is a David Bowie album',
+                       'Quotes in title'
+               );
+
+               test(
                        '*Testing if Things are correctly identified', 'Things',
                        '*Testing if <b>Things</b> are correctly identified',
                        'Article that begins with asterisk'

-- 
To view, visit https://gerrit.wikimedia.org/r/199840
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I6bbc52e427dc636b7b0be1ad4f749d9273ff61b3
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Popups
Gerrit-Branch: master
Gerrit-Owner: Prtksxna <psax...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to