X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FMessage.php;h=84ab7ca70323844b17a12c65c49b8536a8c27aff;hb=9dfc1941bc1820b72d74c65c6a83ad9925c42e7a;hp=0240fa747738570eb7ea88257352ecda6a61aad3;hpb=2480aae0c97d822e10b50619e7b48b25c45af073;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/Message.php b/includes/Message.php
index 0240fa7477..84ab7ca703 100644
--- a/includes/Message.php
+++ b/includes/Message.php
@@ -726,6 +726,8 @@ class Message implements MessageSpecifier, Serializable {
 	 * @throws MWException
 	 */
 	public function inLanguage( $lang ) {
+		$previousLanguage = $this->language;
+
 		if ( $lang instanceof Language ) {
 			$this->language = $lang;
 		} elseif ( is_string( $lang ) ) {
@@ -740,7 +742,11 @@ class Message implements MessageSpecifier, Serializable {
 				. "passed a String or Language object; $type given"
 			);
 		}
-		$this->message = null;
+
+		if ( $this->language !== $previousLanguage ) {
+			// The language has changed. Clear the message cache.
+			$this->message = null;
+		}
 		$this->interface = false;
 		return $this;
 	}
@@ -1105,7 +1111,7 @@ class Message implements MessageSpecifier, Serializable {
 	public static function listParam( array $list, $type = 'text' ) {
 		if ( !isset( self::$listTypeMap[$type] ) ) {
 			throw new InvalidArgumentException(
-				"Invalid type '$type'. Known types are: " . join( ', ', array_keys( self::$listTypeMap ) )
+				"Invalid type '$type'. Known types are: " . implode( ', ', array_keys( self::$listTypeMap ) )
 			);
 		}
 		return [ 'list' => $list, 'type' => $type ];
@@ -1122,12 +1128,30 @@ class Message implements MessageSpecifier, Serializable {
 	 *
 	 * @return string
 	 */
-	protected function replaceParameters( $message, $type = 'before', $format ) {
+	protected function replaceParameters( $message, $type, $format ) {
+		// A temporary marker for $1 parameters that is only valid
+		// in non-attribute contexts. However if the entire message is escaped
+		// then we don't want to use it because it will be mangled in all contexts
+		// and its unnessary as ->escaped() messages aren't html.
+		$marker = $format === self::FORMAT_ESCAPED ? '$' : '$\'"';
 		$replacementKeys = [];
 		foreach ( $this->parameters as $n => $param ) {
 			list( $paramType, $value ) = $this->extractParam( $param, $format );
-			if ( $type === $paramType ) {
-				$replacementKeys['$' . ( $n + 1 )] = $value;
+			if ( $type === 'before' ) {
+				if ( $paramType === 'before' ) {
+					$replacementKeys['$' . ( $n + 1 )] = $value;
+				} else /* $paramType === 'after' */ {
+					// To protect against XSS from replacing parameters
+					// inside html attributes, we convert $1 to $'"1.
+					// In the event that one of the parameters ends up
+					// in an attribute, either the ' or the " will be
+					// escaped, breaking the replacement and avoiding XSS.
+					$replacementKeys['$' . ( $n + 1 )] = $marker . ( $n + 1 );
+				}
+			} else {
+				if ( $paramType === 'after' ) {
+					$replacementKeys[$marker . ( $n + 1 )] = $value;
+				}
 			}
 		}
 		$message = strtr( $message, $replacementKeys );
@@ -1167,11 +1191,17 @@ class Message implements MessageSpecifier, Serializable {
 			} elseif ( isset( $param['list'] ) ) {
 				return $this->formatListParam( $param['list'], $param['type'], $format );
 			} else {
-				$warning = 'Invalid parameter for message "' . $this->getKey() . '": ' .
-					htmlspecialchars( serialize( $param ) );
-				trigger_error( $warning, E_USER_WARNING );
-				$e = new Exception;
-				wfDebugLog( 'Bug58676', $warning . "\n" . $e->getTraceAsString() );
+				if ( !is_scalar( $param ) ) {
+					$param = serialize( $param );
+				}
+				\MediaWiki\Logger\LoggerFactory::getInstance( 'Bug58676' )->warning(
+					'Invalid parameter for message "{msgkey}": {param}',
+					[
+						'exception' => new Exception,
+						'msgkey' => $this->getKey(),
+						'param' => htmlspecialchars( $param ),
+					]
+				);
 
 				return [ 'before', '[INVALID]' ];
 			}
@@ -1220,7 +1250,16 @@ class Message implements MessageSpecifier, Serializable {
 			$this->getLanguage()
 		);
 
-		return $out instanceof ParserOutput ? $out->getText() : $out;
+		return $out instanceof ParserOutput
+			? $out->getText( [
+				'enableSectionEditLinks' => false,
+				// Wrapping messages in an extra <div> is probably not expected. If
+				// they're outside the content area they probably shouldn't be
+				// targeted by CSS that's targeting the parser output, and if
+				// they're inside they already are from the outer div.
+				'unwrap' => true,
+			] )
+			: $out;
 	}
 
 	/**
@@ -1282,16 +1321,15 @@ class Message implements MessageSpecifier, Serializable {
 	 */
 	protected function formatPlaintext( $plaintext, $format ) {
 		switch ( $format ) {
-		case self::FORMAT_TEXT:
-		case self::FORMAT_PLAIN:
-			return $plaintext;
-
-		case self::FORMAT_PARSE:
-		case self::FORMAT_BLOCK_PARSE:
-		case self::FORMAT_ESCAPED:
-		default:
-			return htmlspecialchars( $plaintext, ENT_QUOTES );
-
+			case self::FORMAT_TEXT:
+			case self::FORMAT_PLAIN:
+				return $plaintext;
+
+			case self::FORMAT_PARSE:
+			case self::FORMAT_BLOCK_PARSE:
+			case self::FORMAT_ESCAPED:
+			default:
+				return htmlspecialchars( $plaintext, ENT_QUOTES );
 		}
 	}