diff --git a/includes/CargoFieldDescription.php b/includes/CargoFieldDescription.php index ad2eb053..fbec24af 100644 --- a/includes/CargoFieldDescription.php +++ b/includes/CargoFieldDescription.php @@ -362,6 +362,11 @@ public function prepareAndValidateValue( $fieldValue ) { return $valueArray; } + public function prettyPrintAllowedValues() { + $escapedAllowedValues = array_map( 'htmlspecialchars', $this->mAllowedValues ); + return implode( ' · ', $escapedAllowedValues ); + } + public function prettyPrintType() { $typeDesc = Html::element( 'tt', null, $this->mType ); if ( $this->mIsList ) { diff --git a/includes/specials/CargoPageValues.php b/includes/specials/CargoPageValues.php index ce1cfbab..99cd65ac 100644 --- a/includes/specials/CargoPageValues.php +++ b/includes/specials/CargoPageValues.php @@ -76,7 +76,7 @@ public function execute( $subpage = null ) { $tableLink = $this->getTableLink( $tableName ); $tableSectionHeader = $this->msg( 'cargo-pagevalues-tablevalues' )->rawParams( $tableLink )->escaped(); - $tableSectionTocDisplay = $this->msg( 'cargo-pagevalues-tablevalues', $tableName )->text(); + $tableSectionTocDisplay = $this->msg( 'cargo-pagevalues-tablevalues', $tableName )->escaped(); $tableSectionAnchor = $this->msg( 'cargo-pagevalues-tablevalues', $tableName )->escaped(); $tableSectionAnchor = Sanitizer::escapeIdForAttribute( $tableSectionAnchor ); @@ -153,7 +153,7 @@ private function getInfoForAllFields( $tableName ) { foreach ( $fieldDescriptions as $fieldName => $fieldDescription ) { $fieldInfo[$fieldName]['field type'] = $fieldDescription->prettyPrintType(); if ( is_array( $fieldDescription->mAllowedValues ) ) { - $fieldInfo[$fieldName]['allowed values'] = implode( ' · ', $fieldDescription->mAllowedValues ); + $fieldInfo[$fieldName]['allowed values'] = $fieldDescription->prettyPrintAllowedValues(); } else { $fieldInfo[$fieldName]['allowed values'] = ''; } diff --git a/includes/specials/SpecialDeleteCargoTable.php b/includes/specials/SpecialDeleteCargoTable.php index b662195c..8528c60f 100644 --- a/includes/specials/SpecialDeleteCargoTable.php +++ b/includes/specials/SpecialDeleteCargoTable.php @@ -55,6 +55,7 @@ public function execute( $subpage = false ) { $out = $this->getOutput(); $req = $this->getRequest(); + $csrfTokenSet = $this->getContext()->getCsrfTokenSet(); $out->enableOOUI(); @@ -87,7 +88,7 @@ public function execute( $subpage = false ) { $fieldTables = unserialize( $row['field_tables'] ); $fieldHelperTables = unserialize( $row['field_helper_tables'] ); - if ( $this->getRequest()->getCheck( 'delete' ) ) { + if ( $req->wasPosted() && $req->getCheck( 'delete' ) && $csrfTokenSet->matchToken( $req->getText( 'wpEditToken' ) ) ) { self::deleteTable( $tableName, $fieldTables, $fieldHelperTables ); $text = Html::rawElement( 'p', null, $this->msg( 'cargo-deletetable-success', $tableName )->escaped() ) . "\n"; $tablesLink = CargoUtils::makeLink( $this->getLinkRenderer(), diff --git a/includes/specials/SpecialSwitchCargoTable.php b/includes/specials/SpecialSwitchCargoTable.php index c7b56e84..daf950bb 100644 --- a/includes/specials/SpecialSwitchCargoTable.php +++ b/includes/specials/SpecialSwitchCargoTable.php @@ -86,6 +86,9 @@ public function execute( $subpage = false ) { $this->checkPermissions(); $out = $this->getOutput(); + $req = $this->getRequest(); + $csrfTokenSet = $this->getContext()->getCsrfTokenSet(); + $tableName = $subpage; $out->enableOOUI(); @@ -116,7 +119,7 @@ public function execute( $subpage = false ) { $fieldTables = unserialize( $row['field_tables'] ); $fieldHelperTables = unserialize( $row['field_helper_tables'] ); - if ( $this->getRequest()->getCheck( 'switch' ) ) { + if ( $req->wasPosted() && $req->getCheck( 'switch' ) && $csrfTokenSet->matchToken( $req->getText( 'wpEditToken' ) ) ) { self::switchInTableReplacement( $tableName, $fieldTables, $fieldHelperTables, $this->getUser() ); $text = Html::element( 'p', null, $this->msg( 'cargo-switchtables-success', $tableName )->parse() ) . "\n"; $tablesLink = CargoUtils::makeLink( $this->getLinkRenderer(),