wikimedia/mediawiki-extensions-RSS
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/RSS synced 2024-11-27 09:00:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Phan suppression

Browse source 
The SecurityCheck-XSS violation occurred because, in renderFeed(),
the $renderedFeed variable contains both wikitext (tainted) and
HTML (safe) at different points in the function, and Phan is unable
to disentangle that. Splitting it into two variables allows Phan to
validate the rest of the code just fine.

Change-Id: I4da446b869349f06fc0fc40816d44cee390c49a6
This commit is contained in:
Bartosz Dziewoński 2024-09-19 07:43:52 +02:00
parent 2cc29f25a0
commit 6e2ce16be0
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
includes/Hooks.php
View file

@ -98,7 +98,6 @@ class Hooks implements ParserFirstCallInitHook {
return Utils::getErrorHtml( 'rss-empty', htmlspecialchars( $input ) );
}
// @phan-suppress-next-line SecurityCheck-XSS
return $rss->renderFeed( $parser, $frame );
}

5
includes/RSSParser.php
View file

@ -391,6 +391,7 @@ class RSSParser {
*/
public function renderFeed( $parser, $frame ) {
$renderedFeed = '';
$wikitextFeed = '';
if ( isset( $this->itemTemplate ) && isset( $parser ) && isset( $frame ) ) {
$headcnt = 0;
@ -404,12 +405,12 @@ class RSSParser {
}
if ( $this->canDisplay( $item ) ) {
$renderedFeed .= $this->renderItem( $item, $parser ) . "\n";
$wikitextFeed .= $this->renderItem( $item, $parser ) . "\n";
$headcnt++;
}
}
$renderedFeed = $this->sandboxParse( $renderedFeed, $parser );
$renderedFeed = $this->sandboxParse( $wikitextFeed, $parser );
}