15:08:39 <checkstyle version="6.5">
15:08:39 <file name="includes/specials/SpecialMobileDiff.php">
15:08:39 <error line="339" severity="warning" message="Calling method \OutputPage::addHTML() in \SpecialMobileDiff::showFooter that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ../../includes/Html.php +304; ../../includes/page/ImagePage.php +878; includes/specials/SpecialMobileDiff.php +331; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; ../../includes/user/User.php +2282; ../../includes/Revision/RevisionStore.php +1874; ../../includes/user/User.php +1421; ../../includes/Revision/RevisionStore.php +1874; ../../includes/user/User.php +1421; includes/specials/SpecialMobileDiff.php +397; Builtin-\Message::parse; ../../includes/language/Message.php +940)" source="SecurityCheck-XSS"/>
15:08:39 </file>
15:08:39 </checkstyle>
Description
Details
Related Objects
Event Timeline
Change 582935 had a related patch set uploaded (by Jdlrobson; owner: Jdlrobson):
[mediawiki/extensions/MobileFrontend@master] Disable phan warning for now
I actually found a different HTML escaping issue while investigating this: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/582909
But I think the Phan error is a false positive. The methods it names look correct at a glance. And we don't even call anything from ImagePage.php…?
It seems to be complaining about output of SpecialMobileDiff::listGroups() being blindly output as HTML. This warning seems correct because that method returns the result of UserGroupMembership::getLink which in turn returns the result of Message::text() which is not secure HTML, but unparsed user wikitext.
Change 582935 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] Disable phan warning for now
This is not a new issue with the code and was blocking some important merges today, so I've disabled it for now.
Now those merges have happened we should follow up with some analysis to pay off the technical debt we've accrued.
Change 583376 had a related patch set uploaded (by Jdlrobson; owner: Jdlrobson):
[mediawiki/extensions/MobileFrontend@master] Revert "Disable phan warning for now"
It's passing. Looks like it was fixed by https://phabricator.wikimedia.org/T248360#5997215
SecCheckPlugin seems happy on the revert, so lgtm. Let me know if you want a +2 on the patch.
Change 583376 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] Revert "Disable phan warning for now"