From: Van de B. <van...@gm...> - 2011-10-10 23:35:45
|
Here is the patch. 1. I used Validator to validate #info parameters. I see Validator is already used in SMW, so it should not be a problem. 2. New #info syntax is: {{ #info: message=... | icon=... | escape=... }} Defaults: icon=info, escape=yes. message is also recognized as the first positional argument, icon -- as the second for backward compatibility. 3. I removed using global $wgTitle global variable, because it declared deprecated. Title of current page can be retrieveb through parser. 4. I think everything is ok with non-escaped output, because I did some testing: a. <span class="error">...</span> passed to HTML and influence formatting. b. At the same time, <a href="...">...</a> is escaped: tags are displayed literally, but content of href attribute is recognized and formatted as external link. It seems result of #info function is processed by parser. 5. The only thing I am worry about is initialization. Since SMWInfo is a descendant of Validator's ParserHook now... Please check initialization carefully. Thanks, Van. On Mon, 2011-10-10 at 22:38 +0000, Jeroen De Dauw wrote: > Hey, > > It'd indeed be nice if markup could be embedded here. However, we need > to be careful with the removing of any escaping, to avoid creating > script insertion vulnerabilities and the like. Instead of escaping, > the text could be passed to the parser, which will then remove > anything that should not be in the text. I don't have time right now > to really look into this, but if you create a patch, I'll try to > review it :) > > Cheers > > -- > Jeroen De Dauw > http://www.bn2vs.com > Don't panic. Don't be evil. > -- |