Last modified: 2014-04-14 01:47:22 UTC
From bug 212 in comment #9: What I would like to is to have a mechanism to detect this automatically, something that can be enabled during development. PHP's taint module seems a candidate, but as of now it is not easy to install. The remaining uses are hard to find, and extension developers usually don't pay attention to it.
Switching blocker from bug 209 to bug 212, which is more directly relevant.
Should this be part of the testing infrastructure?
Not really. That is more a general MediaWiki issue and how we do not detect user input being passed directly to output without proper escaping. The PHP taint extension is exactly what we could use though it is very unlikely we will ever require such an extension as a dependency. I know of facebook/pffff which is an objective caml analyzer for PHP which *might* be able to detect such issues. Anyway not an easy task with the PHP language.
Suggesting WONTFIX here, Niklas. There isn't really a way to find this out. As long as $context->msg() or wfMessage() is used, even Message::text() and Message::plain() can be escaped or parsed later on, so there's not really an indicator. During the recent updates from wfMsg* to wfMessage, many problems have been resolved (and some new ones have been introduced, overescaping accidentally), so the issue of outputting raw HTML should be smaller now, albeit not gone. From what I can see, proper auditing on review is the only option for now (and being warned by users).
Siebrand: there are ways as mentioned above. I just don't believe anyone will have time to work on this. I hope this wont come to bite us later.
(In reply to Niklas Laxström from comment #5) > I just don't believe anyone will have time to work on this. This seems to be the case still. Setting priority to Lowest to reflect this fact.