| commit | 9e033de4f22ce46bfaf45556ecad2e221e7d298d | |
| author | C. Scott Ananian <cscott@cscott.net> | |
| Mon, 7 Feb 2022 22:37:56 +0000 (7 17:37 -0500) | ||
| committer | C. Scott Ananian <cscott@cscott.net> | |
| Thu, 10 Feb 2022 22:09:18 +0000 (10 17:09 -0500) | ||
| tree | 3942111ea7196410727aac68a037a210e00d9594 | treesnapshot (tar.gz zip) |
| parent | 45d6341cab8a23f85a8fad9079f9992b8e078d5f | commitdiff |
Don't double-escape the ellipses in Language::truncateForVisual()
It turns out this gets rid of a bunch of suppressed
"SecurityCheck-DoubleEscaped" that appear to have been accurate
warnings.
There seems to have been some confusion about how ::truncateForVisual()
is supposed to be used; in particular it is to be passed *unescaped*
output, because it is not (generally speaking) safe to truncate
HTML-escaped strings. The goal of ::truncateForVisual() is to have
a specific number of codepoints in the output for display purposes,
the encoding of those codepoints is not an issue (htmlspecialchars
can be applied to the *return value*.) If you need a specific number
of *bytes* you should be using ::truncateForDatabase(). If you want
a certain number of *HTML bytes* then the ::truncateHtml() method
is probably what you want.
Slightly refactor some code in RevDelLogItem to avoid a false positive.
Bug: T301205
Bug: T290624
Change-Id: I893362e049aedfa699043fcf27caf4815196f748
It turns out this gets rid of a bunch of suppressed
"SecurityCheck-DoubleEscaped" that appear to have been accurate
warnings.
There seems to have been some confusion about how ::truncateForVisual()
is supposed to be used; in particular it is to be passed *unescaped*
output, because it is not (generally speaking) safe to truncate
HTML-escaped strings. The goal of ::truncateForVisual() is to have
a specific number of codepoints in the output for display purposes,
the encoding of those codepoints is not an issue (htmlspecialchars
can be applied to the *return value*.) If you need a specific number
of *bytes* you should be using ::truncateForDatabase(). If you want
a certain number of *HTML bytes* then the ::truncateHtml() method
is probably what you want.
Slightly refactor some code in RevDelLogItem to avoid a false positive.
Bug: T301205
Bug: T290624
Change-Id: I893362e049aedfa699043fcf27caf4815196f748
12 files changed: