Escape output later, prevent out-of-bounds, update strings

README.md

@@ -236,7 +236,7 @@ If there is an error in the usage or request, a message describing the error wil
 | Failed to retrieve player data. Try again later. | An HTTP error occurred, possibly the wiki made too many requests and is temporarily blocked. |
 | The API requested does not exist. | See [above](#api) for the valid APIs.
 | Player '$1' does not exist. |
-| The skill requested does not exist. | See [RS3 Skills](#rs3-skills) or [OSRS Skills](#osrs-skills) for the known valid skills. |
-| The type requested does not exist. | See [above](#Types) for the valid types. |
+| The skill or activity requested does not exist. | See [RS3 Skills](#rs3-skills) or [OSRS Skills](#osrs-skills) for the known valid skills. |
+| The type requested does not exist for this skill or activity. | See [above](#Types) for the valid types. |
 | The highscores endpoint returned unexpected results. | The format of data received might have changed. Maybe this extension must be adjusted accordingly. |
 | The value for this skill could not be parsed. | The format of data received might have changed. Maybe this extension must be adjusted accordingly. |

i18n/en.json

@@ -8,6 +8,7 @@
 	"rshiscores-error-invalid-json": "The highscores endpoint returned unexpected results.",
 	"rshiscores-error-previous": "See previous error.",
 	"rshiscores-error-request-failed": "Failed to retrieve player data. Try again later.",
+	"rshiscores-error-type-out-of-bounds": "Type entered should be a number between 0 and 2 inclusive, or a string (e.g. 'xp', 'score', 'rank')",
 	"rshiscores-error-unexpected-value": "The value for this skill could not be parsed.",
 	"rshiscores-error-unknown-api": "The API requested does not exist.",
 	"rshiscores-error-unknown-player": "Player '$1' does not exist.",

i18n/qqq.json

@@ -8,6 +8,7 @@
 	"rshiscores-error-invalid-json": "Error message when Jagex endpoint returned unexpected json format.",
 	"rshiscores-error-previous": "Error message for when a previous error has occurred.",
 	"rshiscores-error-request-failed": "Error message for when the HTTP request failed.",
+	"rshiscores-error-type-out-of-bounds": "Error message when type was a number, but not 0, 1 or 2",
 	"rshiscores-error-unexpected-value": "Error message when value returned by the api was not string or integer.",
 	"rshiscores-error-unknown-api": "Error message for when the API requested does not exist.",
 	"rshiscores-error-unknown-player": "Error message for when the player requested does not exist.",

src/RSHiScores.php

@@ -94,7 +94,7 @@ private static function getUrl( $api ) {
 				$url = 'https://secure.runescape.com/m=hiscore_oldschool_tournament/index_lite.json?player=';
 				break;
 			default:
-				// Error: Unknown API. Should never be reached, because it is already checked in self::lookup().
+				// Error: Unknown API.
 				throw new Exception( wfMessage( 'rshiscores-error-unknown-api' ) );
 		}
 
@@ -183,11 +183,19 @@ private static function lookup( $api, $player, $skill, $type ) {
 
 		if ( filter_var( $type, FILTER_VALIDATE_INT ) !== false ) {
 			// Semi-backwards compatibility: If type is int, they used to refer to these values;
-			$type = [
-				'rank',
-				self::DEFAULT_TYPE,
-				'xp',
-			][$type];
+			switch ($type) {
+				case 0:
+					$type = 'rank';
+					break;
+				case 1:
+					$type = self::DEFAULT_TYPE;
+					break;
+				case 2:
+					$type = 'xp';
+					break;
+				default:
+					throw new Exception( wfMessage( 'rshiscores-error-type-out-of-bounds' ) );
+			}
 		}
 
 		if( $player === '' ) {
@@ -248,12 +256,12 @@ private static function postFetch( $data ) {
 		foreach ( $data as $skillOrActivity => $stats ) {
 			foreach ( $stats as $stat ) {
 				if ( isset( $stat['name'] ) ) {
-					$parsedData[ self::escapeStrings( strtolower( $stat[ 'name' ] ) ) ] = self::escapeStrings( $stat );
+					$parsedData[ strtolower( $stat[ 'name' ] ) ] = $stat;
 				}
 			}
 		}
 
-		return $parsedData;
+		return self::escapeStrings( $parsedData );
 	}
 
 	/**