From: jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Date: Thu, 30 Jun 2016 14:49:44 +0000 (+0000)
Subject: Merge "Prepare to split create/modify button label"
X-Git-Tag: 1.31.0-rc.0~6485
X-Git-Url: https://git.heureux-cyclage.org/?a=commitdiff_plain;h=a3209e467b14adbbebdaaf5a9c513824bdd4beaf;hp=4675cb3847fc4aebeb94a5d879e2b0703008fceb;p=lhc%2Fweb%2Fwiklou.git

Merge "Prepare to split create/modify button label"
---

diff --git a/includes/Message.php b/includes/Message.php
index d0325d79b8..2c979dedd0 100644
--- a/includes/Message.php
+++ b/includes/Message.php
@@ -802,10 +802,13 @@ class Message implements MessageSpecifier, Serializable {
 		$string = $this->fetchMessage();
 
 		if ( $string === false ) {
-			if ( $this->format === 'plain' || $this->format === 'text' ) {
-				return '<' . $this->key . '>';
-			}
-			return '&lt;' . htmlspecialchars( $this->key ) . '&gt;';
+			// Err on the side of safety, ensure that the output
+			// is always html safe in the event the message key is
+			// missing, since in that case its highly likely the
+			// message key is user-controlled.
+			// '⧼' is used instead of '<' to side-step any
+			// double-escaping issues.
+			return '⧼' . htmlspecialchars( $this->key ) . '⧽';
 		}
 
 		# Replace $* with a list of parameters for &uselang=qqx.
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index 2e059d7423..be9ccaf297 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -11013,7 +11013,7 @@ int keyword - non-existing message
 !! wikitext
 {{int:var}}
 !! html
-<p>&lt;var&gt;
+<p>⧼var⧽
 </p>
 !! end
 
diff --git a/tests/phpunit/includes/MessageTest.php b/tests/phpunit/includes/MessageTest.php
index c4f3fb1497..4c689abb04 100644
--- a/tests/phpunit/includes/MessageTest.php
+++ b/tests/phpunit/includes/MessageTest.php
@@ -223,13 +223,13 @@ class MessageTest extends MediaWikiLangTestCase {
 	 */
 	public function testToStringKey() {
 		$this->assertEquals( 'Main Page', wfMessage( 'mainpage' )->text() );
-		$this->assertEquals( '<i-dont-exist-evar>', wfMessage( 'i-dont-exist-evar' )->text() );
-		$this->assertEquals( '<i<dont>exist-evar>', wfMessage( 'i<dont>exist-evar' )->text() );
-		$this->assertEquals( '<i-dont-exist-evar>', wfMessage( 'i-dont-exist-evar' )->plain() );
-		$this->assertEquals( '<i<dont>exist-evar>', wfMessage( 'i<dont>exist-evar' )->plain() );
-		$this->assertEquals( '&lt;i-dont-exist-evar&gt;', wfMessage( 'i-dont-exist-evar' )->escaped() );
+		$this->assertEquals( '⧼i-dont-exist-evar⧽', wfMessage( 'i-dont-exist-evar' )->text() );
+		$this->assertEquals( '⧼i&lt;dont&gt;exist-evar⧽', wfMessage( 'i<dont>exist-evar' )->text() );
+		$this->assertEquals( '⧼i-dont-exist-evar⧽', wfMessage( 'i-dont-exist-evar' )->plain() );
+		$this->assertEquals( '⧼i&lt;dont&gt;exist-evar⧽', wfMessage( 'i<dont>exist-evar' )->plain() );
+		$this->assertEquals( '⧼i-dont-exist-evar⧽', wfMessage( 'i-dont-exist-evar' )->escaped() );
 		$this->assertEquals(
-			'&lt;i&lt;dont&gt;exist-evar&gt;',
+			'⧼i&lt;dont&gt;exist-evar⧽',
 			wfMessage( 'i<dont>exist-evar' )->escaped()
 		);
 	}
@@ -237,8 +237,10 @@ class MessageTest extends MediaWikiLangTestCase {
 	public static function provideToString() {
 		return [
 			[ 'mainpage', 'Main Page' ],
-			[ 'i-dont-exist-evar', '<i-dont-exist-evar>' ],
-			[ 'i-dont-exist-evar', '&lt;i-dont-exist-evar&gt;', 'escaped' ],
+			[ 'i-dont-exist-evar', '⧼i-dont-exist-evar⧽' ],
+			[ 'i-dont-exist-evar', '⧼i-dont-exist-evar⧽', 'escaped' ],
+			[ 'script>alert(1)</script', '⧼script&gt;alert(1)&lt;/script⧽', 'escaped' ],
+			[ 'script>alert(1)</script', '⧼script&gt;alert(1)&lt;/script⧽' ],
 		];
 	}
 
diff --git a/tests/phpunit/includes/StatusTest.php b/tests/phpunit/includes/StatusTest.php
index 782fab0c6b..474a481a6e 100644
--- a/tests/phpunit/includes/StatusTest.php
+++ b/tests/phpunit/includes/StatusTest.php
@@ -376,9 +376,9 @@ class StatusTest extends MediaWikiLangTestCase {
 		$status->warning( 'fooBar!' );
 		$testCases['1StringWarning'] = [
 			$status,
-			"<fooBar!>",
+			"⧼fooBar!⧽",
 			"(wrap-short: (fooBar!))",
-			"<p>&lt;fooBar!&gt;\n</p>",
+			"<p>⧼fooBar!⧽\n</p>",
 			"<p>(wrap-short: (fooBar!))\n</p>",
 		];
 
@@ -387,9 +387,9 @@ class StatusTest extends MediaWikiLangTestCase {
 		$status->warning( 'fooBar2!' );
 		$testCases['2StringWarnings'] = [
 			$status,
-			"* <fooBar!>\n* <fooBar2!>\n",
+			"* ⧼fooBar!⧽\n* ⧼fooBar2!⧽\n",
 			"(wrap-long: * (fooBar!)\n* (fooBar2!)\n)",
-			"<ul><li> &lt;fooBar!&gt;</li>\n<li> &lt;fooBar2!&gt;</li></ul>\n",
+			"<ul><li> ⧼fooBar!⧽</li>\n<li> ⧼fooBar2!⧽</li></ul>\n",
 			"<p>(wrap-long: * (fooBar!)\n</p>\n<ul><li> (fooBar2!)</li></ul>\n<p>)\n</p>",
 		];
 
@@ -397,9 +397,9 @@ class StatusTest extends MediaWikiLangTestCase {
 		$status->warning( new Message( 'fooBar!', [ 'foo', 'bar' ] ) );
 		$testCases['1MessageWarning'] = [
 			$status,
-			"<fooBar!>",
+			"⧼fooBar!⧽",
 			"(wrap-short: (fooBar!: foo, bar))",
-			"<p>&lt;fooBar!&gt;\n</p>",
+			"<p>⧼fooBar!⧽\n</p>",
 			"<p>(wrap-short: (fooBar!: foo, bar))\n</p>",
 		];
 
@@ -408,9 +408,9 @@ class StatusTest extends MediaWikiLangTestCase {
 		$status->warning( new Message( 'fooBar2!' ) );
 		$testCases['2MessageWarnings'] = [
 			$status,
-			"* <fooBar!>\n* <fooBar2!>\n",
+			"* ⧼fooBar!⧽\n* ⧼fooBar2!⧽\n",
 			"(wrap-long: * (fooBar!: foo, bar)\n* (fooBar2!)\n)",
-			"<ul><li> &lt;fooBar!&gt;</li>\n<li> &lt;fooBar2!&gt;</li></ul>\n",
+			"<ul><li> ⧼fooBar!⧽</li>\n<li> ⧼fooBar2!⧽</li></ul>\n",
 			"<p>(wrap-long: * (fooBar!: foo, bar)\n</p>\n<ul><li> (fooBar2!)</li></ul>\n<p>)\n</p>",
 		];