[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wikitech-l
Subject:    Re: [Wikitech-l] [MediaWiki-CVS] SVN:  [23537] trunk/phase3
From:       Brion Vibber <brion () wikimedia ! org>
Date:       2007-06-29 13:25:21
Message-ID: 46850841.6070106 () wikimedia ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

robchurch@svn.wikimedia.org wrote:
> +'ShowRawCssJs': When presenting raw CSS and JavaScript during page views
> +&$text: Text being shown
> +$title: Title of the custom script/stylesheet page
> +$output: Current OutputPage object
> +
[snip]							
> +// Give hooks a chance to do formatting...
> +if( wfRunHooks( 'ShowRawCssJs', array( &$text, $this->mTitle, $wgOut ) ) ) {
> +	// Wrap the whole lot in a <pre> and don't parse
> +	preg_match( '!\.(css|js)$!u', $this->mTitle->getText(), $m );
> +	$wgOut->addHtml( "<pre class=\"mw-code mw-{$m[1]}\" dir=\"ltr\">\n" );
> +	$wgOut->addHtml( htmlspecialchars( $text ) );
> +	$wgOut->addHtml( "\n</pre>\n" );
> +} else {
> +	// Wrap hook output in a <div> with the right direction attribute
> +	$wgOut->addHtml( "<div dir=\"ltr\">\n{$text}\n</div>" );
> +}

I find I'm a bit leery of this hook. The $text parameter is source text
on input, and may be *either* source text *or* HTML on output.

This sort of thing feels "unsafe by default"; not only does the variable
change type, but it changes in an unsafe direction (eg, a safe text
string may be unsafe HTML).

I'd rather have the hook either do its own output on $output when
returning false, or return an HTML string via another parameter.

- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGhQhBwRnhpk1wk44RAlFgAJ9HPkd9o3bLbo272qaDM8V+QjcIqQCgkKQG
H0H29izL+vUqWc855dn/ci8=
=Q1JP
-----END PGP SIGNATURE-----

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/wikitech-l
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic