SECURITY: Better controls for logout interface buttons

* Adds data-mw attribute support within BaseTemplate->getPersonalTools()

* Adds data-mw="interface" for default logout button in
SkinTemplate->buildPersonalUrls()

* Adds the [data-mw="interface"] selector to the '#pt-logout a' click
handler added in 8f033911030d.

Bug: T232932
Change-Id: I8e933badb77c89212603a36470ce655e30c137f0

diff --git a/includes/skins/BaseTemplate.php b/includes/skins/BaseTemplate.php
index 0e9bc57..9436c3b 100644 (file)
--- a/includes/skins/BaseTemplate.php
+++ b/includes/skins/BaseTemplate.php
@@ -139,7 +139,15 @@ abstract class BaseTemplate extends QuickTemplate {
                        if ( isset( $plink['active'] ) ) {
                                $ptool['active'] = $plink['active'];
                        }
-                       foreach ( [ 'href', 'class', 'text', 'dir', 'data', 'exists' ] as $k ) {
+                       foreach ( [
+                               'href',
+                               'class',
+                               'text',
+                               'dir',
+                               'data',
+                               'exists',
+                               'data-mw'
+                       ] as $k ) {
                                if ( isset( $plink[$k] ) ) {
                                        $ptool['links'][0][$k] = $plink[$k];
                                }

diff --git a/includes/skins/SkinTemplate.php b/includes/skins/SkinTemplate.php
index 327061c..cde4197 100644 (file)
--- a/includes/skins/SkinTemplate.php
+++ b/includes/skins/SkinTemplate.php
@@ -675,6 +675,7 @@ class SkinTemplate extends Skin {
                        if ( $request->getSession()->canSetUser() ) {
                                $personal_urls['logout'] = [
                                        'text' => $this->msg( 'pt-userlogout' )->text(),
+                                       'data-mw' => 'interface',
                                        'href' => self::makeSpecialUrl( 'Userlogout',
                                                // Note: userlogout link must always contain an & character, otherwise we might not be able
                                                // to detect a buggy precaching proxy (T19790)

diff --git a/resources/src/mediawiki.page.ready/ready.js b/resources/src/mediawiki.page.ready/ready.js
index 48d605d..28374ce 100644 (file)
--- a/resources/src/mediawiki.page.ready/ready.js
+++ b/resources/src/mediawiki.page.ready/ready.js
@@ -54,7 +54,7 @@ $( function () {
        } );
 
        // Turn logout to a POST action
-       $( '#pt-logout a' ).on( 'click', function ( e ) {
+       $( '#pt-logout a[data-mw="interface"]' ).on( 'click', function ( e ) {
                var api = new mw.Api(),
                        url = this.href;
                mw.notify(