This is basically unexploitable, given that Scribunto sessions are
"extremely ephemeral", protected by a 31-bit non-cryptographically
random token and generally contain very little useful data.
But, requiring a CSRF token is a best practice and since this module
is internal and only used in one place, it's also unlikely to break
anything. Because it needs a token, the module is POST-only now too.
Bug: T212071
Change-Id: I7fb6b4f856ee6194eb37c26e14f178fea6c0a3f6
When the Scribunto console produces an error, display a full backtrace
instead of just the error message.
Bug: T74462
Change-Id: I305438284eae8e19a51a70b1e83d54e4831de396
Lua debugging console is useful even if the module page is protected,
so we should display it on read-only edit pages.
However, the `EditPage::showReadOnlyForm::initial` hook does not allow
to insert HTML below the textarea, so we let the JS do it client-side.
(In fact, it might be a good idea to do the same in the base case
and never send the HTML from server, I guess.)
Bug: T93902
Change-Id: I953c4313fc67c6e708b5ef68db5380991a75b363
Coding style:
* Avoid meaningless '_' in variable names, especially when used
inconsistently.
* Avoid trailing line comments.
* Consistent if/else curly brace position.
* Consistently use single quotes (there are no magic quotes in js).
* Consistently use $ in variable names of jQuery-wrapped elements
(as opposed to plain node references).
* Avoid using variable names like '_this' or 'that', instead name
them after the object.
* Too many var statements.
* Hoist var statement.
* Fix alignment of closing parentheses in initEditPage.
Code quality:
* Remove commented out code.
* Add missing radix parameter for parseInt.
* Remove unused private function "printWithRunin".
* Remove unused parameters.
* Don't call "console.log" in production client-side code because
the console doesn't always exist in normal browser modes (and
would result in an Uncaught ReferenceError, aborting the script
unexpectedly and leaving the user interface in a likely
unresponsive state).
* Use the Promise.done and Promise.fail handlers of mw.Api,
instead of the deprecated 'ok' and 'err' parameters.
* Use jQuery#on instead of the deprecated jQuery#bind.
* Use a local shared reference to the singleton instead of relying
on 'this' context, this way the methods can be called
regardless of context. Such as in the $(document).ready(), or
when passing around setErrors callback.
* Avoid using invalid html shortcuts like <div/>, use <tag>
for creation, and <tag>..</tag> for parsing (per style guide).
* Document inputKeydown parameter being jQuery.Event (as oppposed
to native Event).
Misc:
* Renamed '_in' to 'in', and renamed again to 'input' ('in' is an
illegal variable name and would've crashed).
Change-Id: I283fda1409b1e76db56a939183bdaefc95e60961
If the session data gets lost, the console forgets the content and
previous commands. Detect this situation and handle it.
Change-Id: I82fb5e111c09091d4f9a87d2e1b1c245eced1420
* string.format() truncates the string at a null character, causing a
deadlock when Lua attempts to send null characters to PHP. Use
concatenation instead.
* Added test.
* Fixed an error reporting issue in the console, which I happened to
notice at the same time as the above bug.
Change-Id: I2e6061a04512557492bffbd04bc09ca3bc1d80d6
* Added a debug console to the edit page, allowing unsaved modules to be
tested.
* Removed the "preview" button from the edit page.
* Only show the "ignore code errors" checkbox on module edit pages, not
all edit pages.
* Added Lua function mw.log() for sending messages to the debug log.
Change-Id: Ia51f439e573a1deb5b83f94ddd1a86792d5569c1