From 3c4be2f2a8f9104d539c15440a6a3e5fd5f3a85c Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Sun, 17 Feb 2019 11:45:06 +0000
Subject: [PATCH] Various fixes for phan-taint-check

Bug: T216348
Change-Id: Id9e7a4704d62457cac9bd1ca6044dec76472e371
---
 includes/page/ImageHistoryList.php         | 24 ++++++++-----
 includes/specials/SpecialRecentchanges.php |  2 +-
 includes/specials/SpecialSearch.php        | 41 ++++++++++++++--------
 3 files changed, 42 insertions(+), 25 deletions(-)

diff --git a/includes/page/ImageHistoryList.php b/includes/page/ImageHistoryList.php
index 53133345ca..e488b6c1f7 100644
--- a/includes/page/ImageHistoryList.php
+++ b/includes/page/ImageHistoryList.php
@@ -194,16 +194,18 @@ class ImageHistoryList extends ContextSource {
 		$row .= "<td $selected style='white-space: nowrap;'>";
 		if ( !$file->userCan( File::DELETED_FILE, $user ) ) {
 			# Don't link to unviewable files
-			$row .= '<span class="history-deleted">'
-				. $lang->userTimeAndDate( $timestamp, $user ) . '</span>';
+			$row .= Html::element( 'span', [ 'class' => 'history-deleted' ],
+				$lang->userTimeAndDate( $timestamp, $user )
+			);
 		} elseif ( $file->isDeleted( File::DELETED_FILE ) ) {
+			$timeAndDate = htmlspecialchars( $lang->userTimeAndDate( $timestamp, $user ) );
 			if ( $local ) {
 				$this->preventClickjacking();
 				$revdel = SpecialPage::getTitleFor( 'Revisiondelete' );
 				# Make a link to review the image
 				$url = Linker::linkKnown(
 					$revdel,
-					$lang->userTimeAndDate( $timestamp, $user ),
+					$timeAndDate,
 					[],
 					[
 						'target' => $this->title->getPrefixedText(),
@@ -212,12 +214,13 @@ class ImageHistoryList extends ContextSource {
 					]
 				);
 			} else {
-				$url = $lang->userTimeAndDate( $timestamp, $user );
+				$url = $timeAndDate;
 			}
 			$row .= '<span class="history-deleted">' . $url . '</span>';
 		} elseif ( !$file->exists() ) {
-			$row .= '<span class="mw-file-missing">'
-				. $lang->userTimeAndDate( $timestamp, $user ) . '</span>';
+			$row .= Html::element( 'span', [ 'class' => 'mw-file-missing' ],
+				$lang->userTimeAndDate( $timestamp, $user )
+			);
 		} else {
 			$url = $iscur ? $this->current->getUrl() : $this->current->getArchiveUrl( $img );
 			$row .= Xml::element(
@@ -265,9 +268,12 @@ class ImageHistoryList extends ContextSource {
 			$row .= '<td><span class="history-deleted">' .
 				$this->msg( 'rev-deleted-comment' )->escaped() . '</span></td>';
 		} else {
-			$row .=
-				'<td dir="' . MediaWikiServices::getInstance()->getContentLanguage()->getDir() .
-				'">' . Linker::formatComment( $description, $this->title ) . '</td>';
+			$contLang = MediaWikiServices::getInstance()->getContentLanguage();
+			$row .= Html::rawElement(
+				'td',
+				[ 'dir' => $contLang->getDir() ],
+				Linker::formatComment( $description, $this->title )
+			);
 		}
 
 		$rowClass = null;
diff --git a/includes/specials/SpecialRecentchanges.php b/includes/specials/SpecialRecentchanges.php
index 1e016a5f10..d274c88f17 100644
--- a/includes/specials/SpecialRecentchanges.php
+++ b/includes/specials/SpecialRecentchanges.php
@@ -912,7 +912,7 @@ class SpecialRecentChanges extends ChangesListSpecialPage {
 			'span',
 			[ 'class' => 'rclistfrom' ],
 			$this->makeOptionsLink(
-				$this->msg( 'rclistfrom' )->rawParams( $now, $timenow, $datenow )->parse(),
+				$this->msg( 'rclistfrom' )->plaintextParams( $now, $timenow, $datenow )->parse(),
 				[ 'from' => $timestamp ],
 				$nondefaults
 			)
diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php
index ec6c5b94c9..e6d06329ad 100644
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -167,21 +167,7 @@ class SpecialSearch extends SpecialPage {
 				$url = str_replace( '$1', urlencode( $term ), $searchForwardUrl );
 				$out->redirect( $url );
 			} else {
-				$out->addHTML(
-					"<fieldset>" .
-						"<legend>" .
-							$this->msg( 'search-external' )->escaped() .
-						"</legend>" .
-						"<p class='mw-searchdisabled'>" .
-							$this->msg( 'searchdisabled' )->escaped() .
-						"</p>" .
-						$this->msg( 'googlesearch' )->rawParams(
-							htmlspecialchars( $term ),
-							'UTF-8',
-							$this->msg( 'searchbutton' )->escaped()
-						)->text() .
-					"</fieldset>"
-				);
+				$this->showGoogleSearch( $term );
 			}
 
 			return;
@@ -190,6 +176,31 @@ class SpecialSearch extends SpecialPage {
 		$this->showResults( $term );
 	}
 
+	/**
+	 * Output a google search form if search is disabled
+	 *
+	 * @param string $term Search term
+	 * @todo FIXME Maybe we should get rid of this raw html message at some future time
+	 * @suppress SecurityCheck-XSS
+	 */
+	private function showGoogleSearch( $term ) {
+		$this->getOutput()->addHTML(
+			"<fieldset>" .
+				"<legend>" .
+					$this->msg( 'search-external' )->escaped() .
+				"</legend>" .
+				"<p class='mw-searchdisabled'>" .
+					$this->msg( 'searchdisabled' )->escaped() .
+				"</p>" .
+				$this->msg( 'googlesearch' )->rawParams(
+					htmlspecialchars( $term ),
+					'UTF-8',
+					$this->msg( 'searchbutton' )->escaped()
+				)->text() .
+			"</fieldset>"
+		);
+	}
+
 	/**
 	 * Set up basic search parameters from the request and user settings.
 	 *
-- 
2.20.1