On Wed, Apr 11, 2012 at 12:27 AM, Kim Eik <kim(a)heldig.org> wrote:
I have created a patch for the gallery tag and have
been given the
following review.
https://gerrit.wikimedia.org/r/4609
* JavaScript injection: you can inject javascript: URIs which execute
code when clicked
* plain links ("link=Firefox") are taken as relative URLs which will
randomly work or not work depending on where they're viewed from
* need parser test cases to demo it working
So my questions are:
What would be the recommended way of stripping away javascript from
uris? Are there any shared functions which do exactly this?
You should check to see how the 'link' parameter is handled on standalone
images.
In Parser::makeImage() look for the "case 'link':"; it uses existing
regexes to check if the link matches allowed URL schemes, and if not tries
to treat it as a page title.
And how would i solve the plain links problem? do a regex check for an
absolute uri? e.g
http://example.org/foo/bar?
And what is "parser test cases", phpunit tests? or some other form of
testing?
Parser test cases live in tests/parser/parserTests.txt, and can be run both
through the phpunit test suite and through the standalone parserTests.php
-- so a parser test failure should trigger a Jenkins test failure.
Each test case specifies input wikitext and output HTML, to confirm that
things operate as expected.
-- brion