Set @param-taint for Parser::internalParse()

This is not strictly accurate, because Parser::internalParse() actually
returns half-parsed HTML, which is not safe for output. But it is safe for
output from a parser tag.

Maybe phan-taint-check plugin needs to learn about half-parsed HTML as an
extra taint type, and make that an acceptable thing for parser tags to return,
but not other things.

But this fixes the failures for the Listings extension, so I think it's
worthwhile in the meantime.

Change-Id: Idf87f5c3dcf81dd210de73a4ff15e3b1aabd9f89

diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index c1f86b6..5f80e27 100644 (file)
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -1313,6 +1313,7 @@ class Parser {
         * @private
         *
         * @param string $text The text to parse
+        * @param-taint $text escapes_html
         * @param bool $isMain Whether this is being called from the main parse() function
         * @param PPFrame|bool $frame A pre-processor frame
         *