Prtksxna has uploaded a new change for review. https://gerrit.wikimedia.org/r/199840
Change subject: renderer.article: Use .html() instead of .text() in getProcessesElements ...................................................................... renderer.article: Use .html() instead of .text() in getProcessesElements Both the title and the extract are being html escaped thus producing string like ' and " when used with .text() Moving to html() solves this problem without jeopardizing the XSS attack test case as both strings were already escaped. This undoes parts of I02222bbff84532f63cac67af1bf889c328ec6ff2 and thus also partially affects T76378. Bug: T93720 Change-Id: I6bbc52e427dc636b7b0be1ad4f749d9273ff61b3 --- M resources/ext.popups.renderer.article.js M tests/qunit/ext.popups.renderer.article.test.js 2 files changed, 9 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Popups refs/changes/40/199840/1 diff --git a/resources/ext.popups.renderer.article.js b/resources/ext.popups.renderer.article.js index 728606b..d1f8334 100644 --- a/resources/ext.popups.renderer.article.js +++ b/resources/ext.popups.renderer.article.js @@ -171,7 +171,7 @@ $.each( extract, function ( index, part ) { if ( part.indexOf( boldIdentifier ) === 0 ) { - elements.push( $( '<b>' ).text( part.substring( boldIdentifier.length ) ) ); + elements.push( $( '<b>' ).html( part.substring( boldIdentifier.length ) ) ); } else { elements.push( part ); } diff --git a/tests/qunit/ext.popups.renderer.article.test.js b/tests/qunit/ext.popups.renderer.article.test.js index 9d1622e..0e33c94 100644 --- a/tests/qunit/ext.popups.renderer.article.test.js +++ b/tests/qunit/ext.popups.renderer.article.test.js @@ -2,7 +2,7 @@ QUnit.module( 'ext.popups' ); QUnit.test( 'render.article.getProcessedElements', function ( assert ) { - QUnit.expect( 12 ); + QUnit.expect( 13 ); function test ( extract, title, expected, msg ) { var $div = $( '<div>' ).append( @@ -73,11 +73,17 @@ test( 'Foo\'s pub is a pub in Bar', 'Foo\'s pub', - '<b>Foo&#039;s pub</b> is a pub in Bar', + '<b>Foo\'s pub</b> is a pub in Bar', 'Correct escaping' ); test( + '\"Heroes\" is a David Bowie album', '\"Heroes\"', + '<b>\"Heroes\"</b> is a David Bowie album', + 'Quotes in title' + ); + + test( '*Testing if Things are correctly identified', 'Things', '*Testing if <b>Things</b> are correctly identified', 'Article that begins with asterisk' -- To view, visit https://gerrit.wikimedia.org/r/199840 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I6bbc52e427dc636b7b0be1ad4f749d9273ff61b3 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/Popups Gerrit-Branch: master Gerrit-Owner: Prtksxna <psax...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits