From eb7150b029e0c17f46e169c9cbd561ca028eee12 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@member.fsf.org>
Date: Thu, 30 Aug 2018 21:46:10 -0700
Subject: [PATCH] Set @param-taint for Parser::internalParse()

This is not strictly accurate, because Parser::internalParse() actually
returns half-parsed HTML, which is not safe for output. But it is safe for
output from a parser tag.

Maybe phan-taint-check plugin needs to learn about half-parsed HTML as an
extra taint type, and make that an acceptable thing for parser tags to return,
but not other things.

But this fixes the failures for the Listings extension, so I think it's
worthwhile in the meantime.

Change-Id: Idf87f5c3dcf81dd210de73a4ff15e3b1aabd9f89
---
 includes/parser/Parser.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index c1f86b63bd..5f80e277bf 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -1313,6 +1313,7 @@ class Parser {
 	 * @private
 	 *
 	 * @param string $text The text to parse
+	 * @param-taint $text escapes_html
 	 * @param bool $isMain Whether this is being called from the main parse() function
 	 * @param PPFrame|bool $frame A pre-processor frame
 	 *
-- 
2.20.1