git.heureux-cyclage.org - lhc/web/wiklou.git/commit

author	Brian Wolff <bawolff+wn@gmail.com>
	Wed, 20 Apr 2016 17:22:51 +0000 (13:22 -0400)
committer	Brian Wolff <bawolff+wn@gmail.com>
	Thu, 12 May 2016 21:40:01 +0000 (17:40 -0400)
commit	ee4d5c6eed3e054dd368c39709d27783c092b3f5
tree	5e1f0846483437c46b0e8a534e94ea9267cf1f86	tree \| snapshot
parent	50a3e5625a4f10a7c1951de164f15c264bdfdcd3	commit \| diff

Remove support for $wgWellFormedXml=false

tl;dr: Having unnessary complexity in security critical code is bad.

* Extra options add extra complexity and maintenance burden
** Thus we should only have one html output mode. well formed = false
     was already vetoed in T52040, so lets go with WellFormed=true.
* Options which are used by very few people tend to get tested less
* Escaping is an area of code where we should be very conservative
* Having escaping rules depend on making assumptions about which
    characters various browsers consider "whitespace" is scary
* $wgWellFormedXml=false has had a negative security impact in the
    past (Usually not directly its fault, but has made other bugs
    more exploitable)
* Saving a couple bytes (even less bytes after gzip taken into
    account) is really not worth it in this context (imho).

Change-Id: I5c922e0980d3f9eb39adb5bb5833e158afda42ed

includes/DefaultSettings.php		diff \| blob \| history
includes/Html.php		diff \| blob \| history
tests/parser/parserTest.inc		diff \| blob \| history
tests/phpunit/includes/HtmlTest.php		diff \| blob \| history
tests/phpunit/includes/LinkerTest.php		diff \| blob \| history
tests/phpunit/includes/OutputPageTest.php		diff \| blob \| history
tests/phpunit/includes/XmlSelectTest.php		diff \| blob \| history
tests/phpunit/includes/XmlTest.php		diff \| blob \| history
tests/phpunit/includes/content/JsonContentTest.php		diff \| blob \| history
tests/phpunit/includes/parser/NewParserTest.php		diff \| blob \| history