* (bug 4502, 5017) Don't render potentially hostile deleted page contents

  on Special:Undelete by default; show source, with an optional preview.
  The revisions list no longer shows the latest text by default, so it can
  still be operated if the text is hostile.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 5c38922..b5a62f6 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -615,6 +615,10 @@ fully support the editing toolbar, but was found to be too confusing.
 * Blocking some Unicode whitespace characters in usernames. Should check
   if some or all should be blocked from all page titles.
 * Unknown log types no longer throw notices everywhere in RecentChanges
+* (bug 4502, 5017) Don't render potentially hostile deleted page contents
+  on Special:Undelete by default; show source, with an optional preview.
+  The revisions list no longer shows the latest text by default, so it can
+  still be operated if the text is hostile.
 
 
 === Caveats ===

diff --git a/includes/SpecialUndelete.php b/includes/SpecialUndelete.php
index 3a3daba..7d55e0a 100644 (file)
--- a/includes/SpecialUndelete.php
+++ b/includes/SpecialUndelete.php
@@ -311,9 +311,12 @@ class UndeleteForm {
                $this->mAction = $request->getText( 'action' );
                $this->mTarget = $request->getText( 'target' );
                $this->mTimestamp = $request->getText( 'timestamp' );
-               $this->mRestore = $request->getCheck( 'restore' ) &&
-                       $request->wasPosted() &&
+               
+               $posted = $request->wasPosted() &&
                        $wgUser->matchEditToken( $request->getVal( 'wpEditToken' ) );
+               $this->mRestore = $request->getCheck( 'restore' ) && $posted;
+               $this->mPreview = $request->getCheck( 'preview' ) && $posted;
+               
                if( $par != "" ) {
                        $this->mTarget = $par;
                }
@@ -399,7 +402,46 @@ class UndeleteForm {
 
                $wgOut->setPagetitle( wfMsg( "undeletepage" ) );
                $wgOut->addWikiText( "(" . wfMsg( "undeleterevision",
-                       $wgLang->date( $timestamp ) ) . ")\n<hr />\n" . $text );
+                       $wgLang->date( $timestamp ) ) . ")\n" );
+               
+               if( $this->mPreview ) {
+                       $wgOut->addHtml( "<hr />\n" );
+                       $wgOut->addWikiText( $text );
+               }
+               
+               $self = Title::makeTitle( NS_SPECIAL, "Undelete" );
+               
+               $wgOut->addHtml(
+                       wfElement( 'textarea', array(
+                                       'readonly' => true,
+                                       'cols' => intval( $wgUser->getOption( 'cols' ) ),
+                                       'rows' => intval( $wgUser->getOption( 'rows' ) ) ),
+                               $text ) .
+                       wfOpenElement( 'div' ) .
+                       wfOpenElement( 'form', array(
+                               'method' => 'post',
+                               'action' => $self->getLocalURL( "action=submit" ) ) ) .
+                       wfElement( 'input', array(
+                               'type' => 'hidden',
+                               'name' => 'target',
+                               'value' => $this->mTargetObj->getPrefixedUrl() ) ) .
+                       wfElement( 'input', array(
+                               'type' => 'hidden',
+                               'name' => 'timestamp',
+                               'value' => $timestamp ) ) .
+                       wfElement( 'input', array(
+                               'type' => 'hidden',
+                               'name' => 'wpEditToken',
+                               'value' => $wgUser->editToken() ) ) .
+                       wfElement( 'input', array(
+                               'type' => 'hidden',
+                               'name' => 'preview',
+                               'value' => '1' ) ) .
+                       wfElement( 'input', array(
+                               'type' => 'submit',
+                               'value' => wfMsg( 'preview' ) ) ) .
+                       wfCloseElement( 'form' ) .
+                       wfCloseElement( 'div' ) );
        }
 
        /* private */ function showHistory() {
@@ -419,7 +461,7 @@ class UndeleteForm {
                        return;
                }
                if ( $this->mAllowed ) {
-                       $wgOut->addWikiText( wfMsg( "undeletehistory" ) . "\n----\n" . $text );
+                       $wgOut->addWikiText( wfMsg( "undeletehistory" ) );
                } else {
                        $wgOut->addWikiText( wfMsg( "undeletehistorynoadmin" ) );
                }