Universal-Omega/PortableInfobox
1
0
Fork 0
mirror of https://github.com/Universal-Omega/PortableInfobox.git synced 2024-11-15 03:35:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

(CE-3844) Refactor fix for PI and parser tag fix

Browse source 
A security fix from MW core added quotes to the Parser's strip tag
markers in order to prevent an XSS vulnerability. When this was deployed
PIs and our Wikia tag extensions broke in Mercury because ArticlesAsJson
JSON encodes the parser output in the ParserAfterTidy, but then PI and
the tag extensions were manually replacing the Parser tag strip markers
on the already JSON encoded string within their own ParserAfterTidy methods
(which were always run after the ArticlesAsJson method). This meant that the
strip marker had the quote escaped with a backslash in the encoded string,
so the string replacements failed.

This change follows the previous quick and dirty fix by moving the replacements
in PI and the tag extensions to just before ArticlesAsJson encodes the output.
Which also removes the need from before the fix in #10701 to JSON encode the
parser output of the tags that will be replaced into the text.
This commit is contained in:
grunny 2016-06-17 20:07:38 +10:00
parent 61bdc6e652
commit c006c42035
2 changed files with 10 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
PortableInfoboxHooks.class.php
View file

@ -136,9 +136,12 @@ class PortableInfoboxHooks {
return true;
}
public static function onArticleAsJsonBeforeEncode( &$text ) {
PortableInfoboxParserTagController::getInstance()->moveFirstMarkerToTop( $text );
$tagController = PortableInfoboxParserTagController::getInstance();
$tagController->moveFirstMarkerToTop( $text );
$text = $tagController->replaceMarkers( $text );
return true;
}

20
controllers/PortableInfoboxParserTagController.class.php
View file

@ -50,7 +50,10 @@ class PortableInfoboxParserTagController extends WikiaController {
* @return string
*/
public static function replaceInfoboxMarkers( &$parser, &$text ) {
$text = static::getInstance()->replaceMarkers( $text );
global $wgArticleAsJson;
if ( !$wgArticleAsJson ) {
$text = static::getInstance()->replaceMarkers( $text );
}
return true;
}
@ -138,20 +141,7 @@ class PortableInfoboxParserTagController extends WikiaController {
}
public function replaceMarkers( $text ) {
global $wgArticleAsJson;
if ( $wgArticleAsJson ) {
$contentArray = json_decode( $text, true );
if ( is_array( $contentArray ) && isset( $contentArray['content'] ) ) {
$text = strtr( $contentArray['content'], $this->markers );
$contentArray['content'] = $text;
$text = json_encode( $contentArray );
} else {
$text = strtr( $text, $this->markers );
}
} else {
$text = strtr( $text, $this->markers );
}
return $text;
return strtr( $text, $this->markers );
}
protected function saveToParserOutput( \ParserOutput $parserOutput, Nodes\NodeInfobox $raw ) {