The SecurityCheck-XSS violation occurred because, in renderFeed(),
the $renderedFeed variable contains both wikitext (tainted) and
HTML (safe) at different points in the function, and Phan is unable
to disentangle that. Splitting it into two variables allows Phan to
validate the rest of the code just fine.
Change-Id: I4da446b869349f06fc0fc40816d44cee390c49a6
Add doc-typehints to class properties found by the PropertyDocumentation
sniff to improve the documentation and to remove the exclusion of the
sniff.
The activated sniff avoids that new code is missing doc-typehints or
real-typehints.
Adding a @var type to RSSData->items triggers a SecurityCheck-XSS issue by phan, but all is dealing with wikitext when building the items, so that looks like a false positive
Change-Id: I4f1d17372d62f02fe7447f5bf5e75b9471d7a338
Language::truncateForVisual() is for plain text strings, while
Language::truncateHTML() is, unsurprisingly, for HTML.
Bug: T32377
Change-Id: Ica171d7c87781801a6634abd6056880bf02f96f0
Parser::getFunctionLang() is being deprecated. These two functions
have been identical since 7df3473cfea59df53debb7a9eefffed8a7f20fb3
in MW 1.19 (2012) and this extension already requires MW >= 1.38.
Bug: T318860
Change-Id: If5fa696e27e84a3aa1343551d7482c933da0a9b6
Previously when $wgRSSAllowLinkTag was true, you could put an
<a> tag containing unescaped ", inside another attribute to escape
from the attribute and create an XSS.
This makes the marker include " and ', so if they are put anywhere
where quotes aren't allowed, the marker will get mangled and not
replaced
Bug: T307028
Change-Id: I2f7827103bdee0ea766b1f5e7040e2a022fcd2f3
The minimum required MW version has been bumped to 1.38.
Depends-On: Ic864c01471c292f11799c4fbdac4d7d30b8bc50f
Change-Id: I83923d8b38d33f3638cd53958dd10f257ec21f7c
WikiPage::factory() is deprecated since 1.36 and should be replaced
with WikiPageFactory::newFromTitle().
Bug: T297688
Change-Id: I20898d956230627d820986a683c20bb487d1083b