[MediaWiki-commits] [Gerrit] Sanitize embed HTML - change (mediawiki...MultimediaViewer)

[Code Review]

Gergő Tisza has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/120953

Change subject: Sanitize embed HTML
..

Sanitize embed HTML

Make sure tables, lists and other complex stuff do not get into the
embed HTML code.

Change-Id: I559dc7892e058e403ddde6994a7e1ac0c9585325
Mingle: https://wikimedia.mingle.thoughtworks.com/projects/multimedia/cards/369
---
M resources/mmv/mmv.EmbedFileFormatter.js
1 file changed, 17 insertions(+), 0 deletions(-)


  git pull 
ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/MultimediaViewer 
refs/changes/53/120953/1

diff --git a/resources/mmv/mmv.EmbedFileFormatter.js 
b/resources/mmv/mmv.EmbedFileFormatter.js
index 0f6ddf6..3fc597a 100644
--- a/resources/mmv/mmv.EmbedFileFormatter.js
+++ b/resources/mmv/mmv.EmbedFileFormatter.js
@@ -73,6 +73,9 @@
 * @return {string} byline (can contain HTML)
 */
EFFP.getByline = function ( author, source ) {
+   author = author && this.whitelistHtml( author );
+   source = source && this.whitelistHtml( source );
+
if ( author && source) {
return mw.message(
'multimediaviewer-credit',
@@ -189,5 +192,19 @@
return $( '' + html + '' ).text();
};
 
+   /**
+* @param {string} html
+* @return {string}
+* FIXME this should probably be handled via dependency injection. Or 
some sort of utils class.
+*/
+   EFFP.whitelistHtml = function ( html ) {
+   var element = mw.mmv.ui.Element.prototype,
+   whitelistHtml = element.whitelistHtml,
+   $el = $( '' + html + '' );
+
+   whitelistHtml.call( element, $el );
+   return $el.html();
+   };
+
mw.mmv.EmbedFileFormatter = EmbedFileFormatter;
 }( mediaWiki, jQuery ) );

-- 
To view, visit https://gerrit.wikimedia.org/r/120953
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I559dc7892e058e403ddde6994a7e1ac0c9585325
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/MultimediaViewer
Gerrit-Branch: master
Gerrit-Owner: Gergő Tisza 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Sanitize embed HTML - change (mediawiki...MultimediaViewer)

[jenkins-bot (Code Review)]

jenkins-bot has submitted this change and it was merged.

Change subject: Sanitize embed HTML
..


Sanitize embed HTML

Make sure tables, lists and other complex stuff do not get into the
embed HTML code.

Change-Id: I559dc7892e058e403ddde6994a7e1ac0c9585325
Mingle: https://wikimedia.mingle.thoughtworks.com/projects/multimedia/cards/369
---
M resources/mmv/mmv.EmbedFileFormatter.js
1 file changed, 3 insertions(+), 0 deletions(-)

Approvals:
  Gilles: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/resources/mmv/mmv.EmbedFileFormatter.js 
b/resources/mmv/mmv.EmbedFileFormatter.js
index 9181690..93766e3 100644
--- a/resources/mmv/mmv.EmbedFileFormatter.js
+++ b/resources/mmv/mmv.EmbedFileFormatter.js
@@ -76,6 +76,9 @@
 * @return {string} byline (can contain HTML)
 */
EFFP.getByline = function ( author, source ) {
+   author = author && this.htmlUtils.htmlToTextWithLinks( author );
+   source = source && this.htmlUtils.htmlToTextWithLinks( source );
+
if ( author && source) {
return mw.message(
'multimediaviewer-credit',

-- 
To view, visit https://gerrit.wikimedia.org/r/120953
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I559dc7892e058e403ddde6994a7e1ac0c9585325
Gerrit-PatchSet: 7
Gerrit-Project: mediawiki/extensions/MultimediaViewer
Gerrit-Branch: master
Gerrit-Owner: Gergő Tisza 
Gerrit-Reviewer: Gergő Tisza 
Gerrit-Reviewer: Gilles 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits