Mailing List Archive: Wikipedia: Wikitech

Re: [MediaWiki-CVS] SVN: [39799] trunk/phase3: Revert r39793 "* (bug 13879) Special:EmailUser shows a form [...]

Index | Next | Previous | View Threaded

bryan.tongminh at gmail

Aug 22, 2008, 1:17 AM

Post #1 of 2 (328 views)
Permalink

*Re: [MediaWiki-CVS] SVN: [39799] trunk/phase3: Revert r39793 " (bug 13879) Special:EmailUser shows a form [...]**

On Fri, Aug 22, 2008 at 12:56 AM, <brion[at]svn.wikimedia.org> wrote:
> Revision: 39799
> Author: brion
> Date: 2008-08-21 22:56:45 +0000 (Thu, 21 Aug 2008)
>
> Log Message:
> -----------
> Revert r39793 "* (bug 13879) Special:EmailUser shows a form in case no user was specified" for the moment
> * Recipient name seems to be output raw into HTML form; this is insecure
There was an htmlspecialchars around it:
> - $recipient = $this->target instanceof User ?
> - htmlspecialchars( $this->target->getName() ) :
> - '';

> * We've lost the link to the target's user page in the primary use case (followed 'email this user' link)
You suggest that we only show the input box in case no target or an
invalid target is specified and else the current behaviour with a link
to the receipent?

Bryan

_______________________________________________
Wikitech-l mailing list
Wikitech-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

brion at wikimedia

Aug 22, 2008, 9:27 AM

Post #2 of 2 (296 views)
Permalink

*Re: [MediaWiki-CVS] SVN: [39799] trunk/phase3: Revert r39793 " (bug 13879) Special:EmailUser shows a form [...]** [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bryan Tong Minh wrote:
>> Revert r39793 "* (bug 13879) Special:EmailUser shows a form in case no user was specified" for the moment
>> * Recipient name seems to be output raw into HTML form; this is insecure
> There was an htmlspecialchars around it:
>> - $recipient = $this->target instanceof User ?
>> - htmlspecialchars( $this->target->getName() ) :
>> - '';

Ugh. That's a bad practice, with two big things wrong with it:

1) The escaping is separated from the output (which happens many lines
down), making it harder to find and more prone to future error as code
is updated over the years

and

2) The escaped variable doesn't follow our convention for output-escaped
variables, making it harder to confirm it's correct and easier to run
into future troubles if the variable gets reused for something else in
the middle of the function because future maintainers don't realize it's
output-escaped.

If it must be used, it should be named $encRecipient to follow the
convention and aid future code maintenance.

Better still would be to construct the form components with the HTML
generator functions in the Xml class, which will ensure proper escaping.

>> * We've lost the link to the target's user page in the primary use case (followed 'email this user' link)
> You suggest that we only show the input box in case no target or an
> invalid target is specified and else the current behaviour with a link
> to the receipent?

That might be nice; otherwise we've got no link back.

- -- brion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiu6QUACgkQwRnhpk1wk45mEgCfRO41H6Y/8ZnSPn5y84bhPTBV
nBoAoNOEwFl4OnOOJEmSMctrf8Z6ZwpY
=GtM8
-----END PGP SIGNATURE-----

_______________________________________________
Wikitech-l mailing list
Wikitech-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com