Explicitly declare HtmlArmor exceptions (#20)

osnard · rvogel · web-flow · commit 4f2c7ca877aa · 2022-08-10T14:53:41.000+02:00
* Explicitly state HtmlArmor excluded fields

ERM29427
ERM29429
ERM29430

* Remove defaults

* Bump version

* Apply HtmlArmor for rendered subcomponent html

Co-authored-by: rvogel &lt;vogel@hallowelt.biz&gt;
diff --git a/bootstrap.php b/bootstrap.php
@@ -8,7 +8,7 @@
 	return;
 }
 
-define( 'MWSTAKE_MEDIAWIKI_COMPONENT_COMMONUSERINTERFACE_VERSION', '3.0.4' );
+define( 'MWSTAKE_MEDIAWIKI_COMPONENT_COMMONUSERINTERFACE_VERSION', '3.0.5' );
 
 MWStake\MediaWiki\ComponentLoader\Bootstrapper::getInstance()
 ->register( 'commonuserinterface', function () {
diff --git a/resources/templates/button.mustache b/resources/templates/button.mustache
@@ -1,4 +1,4 @@
 <button {{#id}}id="{{.}}" {{/id}}class="btn{{#class}} {{.}}{{/class}}" type="button"{{#disabled}} disabled{{/disabled}}>
-	<span class="visually-hidden">{{{aria-label}}}</span>
+	<span class="visually-hidden">{{aria-label}}</span>
 	{{{text}}}
 </button>
diff --git a/resources/templates/card-img.mustache b/resources/templates/card-img.mustache
@@ -1 +1 @@
-<img src="{{src}}" class="card-img-{{type}}{{#class}} {{.}}{{/class}}" alt="{{alt}}">
+<img src="{{src}}" class="card-img-{{type}}{{#class}} {{.}}{{/class}}" alt="{{alt}}" />
diff --git a/resources/templates/dropdown-split-link.mustache b/resources/templates/dropdown-split-link.mustache
@@ -1,7 +1,7 @@
 <div class="dropdown{{#cnt-class}} {{.}}{{/cnt-class}}">
 	<div class="btn-group{{#btn-group-class}} {{.}}{{/btn-group-class}}">
 		<a {{#btn-class}}class="{{.}}"{{/btn-class}}{{#id}} id="{{.}}"{{/id}} title="{{btn-title}}"{{#btn-data}} {{{.}}}{{/btn-data}} aria-haspopup="true" aria-label="{{btn-aria-label}}"{{#btn-disabled}} disabled{{/btn-disabled}} href="{{btn-href}}">
-			{{{btn-text}}}
+			{{btn-text}}
 		</a>
 		<a class="dropdown-toggle{{#split-btn-class}} {{.}}{{/split-btn-class}}"{{#id}} id="{{.}}-menu-btn"{{/id}} title="{{split-btn-title}}"{{#split-btn-data}} {{{.}}}{{/split-btn-data}} data-bs-toggle="dropdown" aria-haspopup="true" aria-label="{{split-btn-aria-label}}" aria-expanded="false" aria-controls="{{id}}-menu"{{#split-btn-disabled}} disabled{{/split-btn-disabled}} href="">
 		</a>
diff --git a/src/IDropdownIconSplitButton.php b/src/IDropdownIconSplitButton.php
@@ -37,7 +37,7 @@ public function getSplitButtonClasses() : array;
 	public function getMenuClasses() : array;
 
 	/**
-	 * @return Message
+	 * @return array
 	 */
 	public function getIconClasses() : array;
 
diff --git a/src/Renderer/Accordion.php b/src/Renderer/Accordion.php
@@ -43,7 +43,7 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'header-text', 'body' ];
+		return [ 'id' ];
 	}
 
 }
diff --git a/src/Renderer/Badge.php b/src/Renderer/Badge.php
@@ -51,4 +51,11 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	public function getTemplatePathname() : string {
 		return $this->templateBasePath . '/badge.mustache';
 	}
+
+	/**
+	 * @inheritDoc
+	 */
+	protected function getHtmlArmorExcludedFields() {
+		return [ 'class' ];
+	}
 }
diff --git a/src/Renderer/Button.php b/src/Renderer/Button.php
@@ -66,4 +66,11 @@ public function getTemplatePathname() : string {
 		return $this->templateBasePath . '/button.mustache';
 	}
 
+	/**
+	 * @inheritDoc
+	 */
+	protected function getHtmlArmorExcludedFields() {
+		return [ 'id', 'class', 'disabled', 'aria-label' ];
+	}
+
 }
diff --git a/src/Renderer/ButtonGroup.php b/src/Renderer/ButtonGroup.php
@@ -64,4 +64,11 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	public function getTemplatePathname() : string {
 		return $this->templateBasePath . '/button-group.mustache';
 	}
+
+	/**
+	 * @inheritDoc
+	 */
+	protected function getHtmlArmorExcludedFields() {
+		return [ 'class', 'role', 'aria-label' ];
+	}
 }
diff --git a/src/Renderer/Card.php b/src/Renderer/Card.php
@@ -4,6 +4,7 @@
 
 use Exception;
 use MWStake\MediaWiki\Component\CommonUserInterface\ICard;
+use MWStake\MediaWiki\Component\CommonUserInterface\IComponent;
 
 class Card extends RendererBase {
 
@@ -47,6 +48,6 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'id', 'class' ];
 	}
 }
diff --git a/src/Renderer/CardBody.php b/src/Renderer/CardBody.php
@@ -53,6 +53,6 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'class' ];
 	}
 }
diff --git a/src/Renderer/CardFooter.php b/src/Renderer/CardFooter.php
@@ -53,6 +53,6 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'class' ];
 	}
 }
diff --git a/src/Renderer/CardHeader.php b/src/Renderer/CardHeader.php
@@ -53,6 +53,6 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'id', 'class' ];
 	}
 }
diff --git a/src/Renderer/CardImage.php b/src/Renderer/CardImage.php
@@ -43,4 +43,10 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 		return $templateData;
 	}
 
+	/**
+	 * @inheritDoc
+	 */
+	protected function getHtmlArmorExcludedFields() {
+		return [ 'src', 'type', 'class', 'alt' ];
+	}
 }
diff --git a/src/Renderer/CardLink.php b/src/Renderer/CardLink.php
@@ -69,11 +69,11 @@ public function getTemplatePathname() : string {
 	}
 
 	/**
-	 * `AriaAttributesBuilder` and `DataAttributesBuilder` are already using
+	 * `DataAttributesBuilder` is already using
 	 * `Sanitizer::safeEncodeTagAttributes`
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body', 'data' ];
+		return [ 'id', 'class', 'href', 'title', 'data', 'role', 'rel', 'aria-label' ];
 	}
 }
diff --git a/src/Renderer/CardSubTitle.php b/src/Renderer/CardSubTitle.php
@@ -53,6 +53,6 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'class' ];
 	}
 }
diff --git a/src/Renderer/CardText.php b/src/Renderer/CardText.php
@@ -53,6 +53,6 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'class' ];
 	}
 }
diff --git a/src/Renderer/CardTitle.php b/src/Renderer/CardTitle.php
@@ -53,6 +53,6 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'class' ];
 	}
 }
diff --git a/src/Renderer/CollapsibleCard.php b/src/Renderer/CollapsibleCard.php
@@ -78,4 +78,13 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 		return $templateData;
 	}
 
+	/**
+	 * `AriaAttributesBuilder` is already using
+	 * `Sanitizer::safeEncodeTagAttributes`
+	 * @inheritDoc
+	 */
+	protected function getHtmlArmorExcludedFields() {
+		return [ 'cnt-class', 'id', 'header-class', 'title', 'aria', 'body-class' ];
+	}
+
 }
diff --git a/src/Renderer/Dropdown.php b/src/Renderer/Dropdown.php
@@ -81,6 +81,6 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'cnt-class', 'id', 'title', 'btn-data', 'btn-aria-label', 'menu-class' ];
 	}
 }
diff --git a/src/Renderer/DropdownButton.php b/src/Renderer/DropdownButton.php
@@ -89,6 +89,7 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'cnt-class', 'btn-class', 'id', 'title', 'data', 'btn-aria-label', 'disabled',
+			'text', 'menu-class' ];
 	}
 }
diff --git a/src/Renderer/DropdownIcon.php b/src/Renderer/DropdownIcon.php
@@ -89,6 +89,7 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'cnt-class', 'tabindex', 'btn-class', 'id', 'title', 'btn-data', 'btn-aria-label',
+			'icon-class', 'menu-class' ];
 	}
 }
diff --git a/src/Renderer/DropdownIconSplitButton.php b/src/Renderer/DropdownIconSplitButton.php
@@ -123,6 +123,9 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'cnt-class', 'btn-group-class', 'href', 'btn-class', 'id', 'btn-title',
+			'btn-data', 'btn-aria-label', 'btn-disabled', 'icon-class', 'split-btn-class',
+			'split-btn-title', 'split-btn-data', 'split-btn-aria-label', 'split-btn-disabled',
+			'menu-class' ];
 	}
 }
diff --git a/src/Renderer/DropdownItemlist.php b/src/Renderer/DropdownItemlist.php
@@ -61,6 +61,6 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'list-id', 'list-class' ];
 	}
 }
diff --git a/src/Renderer/DropdownItemlistFromArray.php b/src/Renderer/DropdownItemlistFromArray.php
@@ -83,6 +83,7 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'aria', 'body', 'data' ];
+		return [ 'list-id', 'list-class', 'id', 'class', 'href', 'title', 'aria', 'data',
+			'rel', 'target' ];
 	}
 }
diff --git a/src/Renderer/DropdownItemlistItem.php b/src/Renderer/DropdownItemlistItem.php
@@ -61,6 +61,6 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'class' ];
 	}
 }
diff --git a/src/Renderer/DropdownSplitButton.php b/src/Renderer/DropdownSplitButton.php
@@ -115,6 +115,8 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'cnt-class', 'btn-group-class', 'btn-class', 'id', 'btn-title', 'btn-data',
+			'btn-aria-label', 'btn-disabled', 'btn-text', 'split-btn-class', 'split-btn-title',
+			'split-btn-data', 'split-btn-aria-label', 'split-btn-disabled', 'menu-class' ];
 	}
 }
diff --git a/src/Renderer/DropdownSplitLink.php b/src/Renderer/DropdownSplitLink.php
@@ -116,6 +116,9 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'cnt-class', 'btn-group-class', 'btn-class', 'id', 'btn-title', 'btn-data',
+			'btn-aria-label', 'btn-disabled', 'btn-href', 'btn-text', 'split-btn-class',
+			'split-btn-title', 'split-btn-data', 'split-btn-aria-label', 'split-btn-disabled',
+			'menu-class' ];
 	}
 }
diff --git a/src/Renderer/Link.php b/src/Renderer/Link.php
@@ -126,6 +126,6 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'aria', 'data' ];
+		return [ 'id', 'class', 'href', 'title', 'aria', 'data', 'role', 'rel', 'target' ];
 	}
 }
diff --git a/src/Renderer/LinklistGroup.php b/src/Renderer/LinklistGroup.php
@@ -69,4 +69,13 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	public function getTemplatePathname() : string {
 		return $this->templateBasePath . '/linklist-group.mustache';
 	}
+
+	/**
+	 * `AriaAttributesBuilder` and `DataAttributesBuilder` are already using
+	 * `Sanitizer::safeEncodeTagAttributes`
+	 * @inheritDoc
+	 */
+	protected function getHtmlArmorExcludedFields() {
+		return [ 'id', 'class', 'aria' ];
+	}
 }
diff --git a/src/Renderer/LinklistGroupFromArray.php b/src/Renderer/LinklistGroupFromArray.php
@@ -94,6 +94,7 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'aria', 'data' ];
+		return [ 'cnt-id', 'cnt-class', 'cnt-aria', 'id', 'class', 'href', 'title', 'aria', 'data',
+			'rel', 'target' ];
 	}
 }
diff --git a/src/Renderer/LinklistGroupItem.php b/src/Renderer/LinklistGroupItem.php
@@ -58,4 +58,11 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	public function getTemplatePathname() : string {
 		return $this->templateBasePath . '/linklist-group-item.mustache';
 	}
+
+	/**
+	 * @inheritDoc
+	 */
+	protected function getHtmlArmorExcludedFields() {
+		return [ 'class' ];
+	}
 }
diff --git a/src/Renderer/MediaObject.php b/src/Renderer/MediaObject.php
@@ -70,7 +70,7 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'body' ];
+		return [ 'id', 'container-class', 'img-class', 'src', 'alt', 'body-class' ];
 	}
 
 }
diff --git a/src/Renderer/Separator.php b/src/Renderer/Separator.php
@@ -52,4 +52,11 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra
 	public function getTemplatePathname() : string {
 		return $this->templateBasePath . '/separator.mustache';
 	}
+
+	/**
+	 * @inheritDoc
+	 */
+	protected function getHtmlArmorExcludedFields() {
+		return [ 'class' ];
+	}
 }
diff --git a/src/Renderer/TextLink.php b/src/Renderer/TextLink.php
@@ -123,6 +123,6 @@ public function getTemplatePathname() : string {
 	 * @inheritDoc
 	 */
 	protected function getHtmlArmorExcludedFields() {
-		return [ 'aria', 'data' ];
+		return [ 'id', 'class', 'href', 'title', 'aria', 'data', 'role', 'rel', 'target' ];
 	}
 }
diff --git a/src/RendererDataTreeRenderer.php b/src/RendererDataTreeRenderer.php
@@ -2,6 +2,8 @@
 
 namespace MWStake\MediaWiki\Component\CommonUserInterface;
 
+use HtmlArmor;
+
 class RendererDataTreeRenderer {
 
 	/**
@@ -52,7 +54,7 @@ private function makeHtmlFromRendererDataTreeNode( $dataTreeNode ) {
 				}
 			}
 			if ( !empty( $subComponentHtml ) ) {
-				$dataTreeNode['data'][$dataKey] = $subComponentHtml;
+				$dataTreeNode['data'][$dataKey] = new HtmlArmor( $subComponentHtml );
 			}
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`return;`
`9`	`9`	`}`
`10`	`10`
`11`		`-define( 'MWSTAKE_MEDIAWIKI_COMPONENT_COMMONUSERINTERFACE_VERSION', '3.0.4' );`
	`11`	`+define( 'MWSTAKE_MEDIAWIKI_COMPONENT_COMMONUSERINTERFACE_VERSION', '3.0.5' );`
`12`	`12`
`13`	`13`	`MWStake\MediaWiki\ComponentLoader\Bootstrapper::getInstance()`
`14`	`14`	`->register( 'commonuserinterface', function () {`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-<img src="{{src}}" class="card-img-{{type}}{{#class}} {{.}}{{/class}}" alt="{{alt}}">`
	`1`	`+<img src="{{src}}" class="card-img-{{type}}{{#class}} {{.}}{{/class}}" alt="{{alt}}" />`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ public function getTemplatePathname() : string {`
`43`	`43`	`* @inheritDoc`
`44`	`44`	`*/`
`45`	`45`	`protected function getHtmlArmorExcludedFields() {`
`46`		`- return [ 'header-text', 'body' ];`
	`46`	`+ return [ 'id' ];`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -51,4 +51,11 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra`
`51`	`51`	`public function getTemplatePathname() : string {`
`52`	`52`	`return $this->templateBasePath . '/badge.mustache';`
`53`	`53`	`}`
	`54`	`+`
	`55`	`+ /**`
	`56`	`+ * @inheritDoc`
	`57`	`+ */`
	`58`	`+ protected function getHtmlArmorExcludedFields() {`
	`59`	`+ return [ 'class' ];`
	`60`	`+ }`
`54`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -66,4 +66,11 @@ public function getTemplatePathname() : string {`
`66`	`66`	`return $this->templateBasePath . '/button.mustache';`
`67`	`67`	`}`
`68`	`68`
	`69`	`+ /**`
	`70`	`+ * @inheritDoc`
	`71`	`+ */`
	`72`	`+ protected function getHtmlArmorExcludedFields() {`
	`73`	`+ return [ 'id', 'class', 'disabled', 'aria-label' ];`
	`74`	`+ }`
	`75`	`+`
`69`	`76`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,4 +64,11 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra`
`64`	`64`	`public function getTemplatePathname() : string {`
`65`	`65`	`return $this->templateBasePath . '/button-group.mustache';`
`66`	`66`	`}`
	`67`	`+`
	`68`	`+ /**`
	`69`	`+ * @inheritDoc`
	`70`	`+ */`
	`71`	`+ protected function getHtmlArmorExcludedFields() {`
	`72`	`+ return [ 'class', 'role', 'aria-label' ];`
	`73`	`+ }`
`67`	`74`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`
`5`	`5`	`use Exception;`
`6`	`6`	`use MWStake\MediaWiki\Component\CommonUserInterface\ICard;`
	`7`	`+use MWStake\MediaWiki\Component\CommonUserInterface\IComponent;`
`7`	`8`
`8`	`9`	`class Card extends RendererBase {`
`9`	`10`
`@@ -47,6 +48,6 @@ public function getRendererDataTreeNode( $component, $subComponentNodes ) : arra`
`47`	`48`	`* @inheritDoc`
`48`	`49`	`*/`
`49`	`50`	`protected function getHtmlArmorExcludedFields() {`
`50`		`- return [ 'body' ];`
	`51`	`+ return [ 'id', 'class' ];`
`51`	`52`	`}`
`52`	`53`	`}`