On Wed, Apr 11, 2012 at 12:27 AM, Kim Eik kim@heldig.org wrote:
I have created a patch for the gallery tag and have been given the following review.
https://gerrit.wikimedia.org/r/4609
- JavaScript injection: you can inject javascript: URIs which execute
code when clicked
- plain links ("link=Firefox") are taken as relative URLs which will
randomly work or not work depending on where they're viewed from
- need parser test cases to demo it working
So my questions are:
What would be the recommended way of stripping away javascript from uris? Are there any shared functions which do exactly this?
You should check to see how the 'link' parameter is handled on standalone images.
In Parser::makeImage() look for the "case 'link':"; it uses existing regexes to check if the link matches allowed URL schemes, and if not tries to treat it as a page title.
And how would i solve the plain links problem? do a regex check for an
absolute uri? e.g http://example.org/foo/bar? And what is "parser test cases", phpunit tests? or some other form of testing?
Parser test cases live in tests/parser/parserTests.txt, and can be run both through the phpunit test suite and through the standalone parserTests.php -- so a parser test failure should trigger a Jenkins test failure.
Each test case specifies input wikitext and output HTML, to confirm that things operate as expected.
-- brion