[01:05:52] Hmm ashley: Does GsOC happen just online, or also offline too? [01:06:23] online (although I think there's a chance to attend some offline summit at Google or something? not sure) [01:07:50] Ah, OK [01:08:11] I'll probably just do online summit when I do it in a couple years (at least, I plan to! :P ) [01:20:08] cool :D I certainly hope you'd be able to do it -- I'm sure you can come up with some new, beautiful and handy features :) [01:28:01] that'd be awesome :D [01:37:23] [13LocalSettings] 15SamanthaNguyen pushed 1 new commit to 06master: 02https://git.io/vMC6Y [01:37:23] 13LocalSettings/06master 1410e108c 15Samantha Nguyen: Remove unused lines, which were configs for SiteMatrix... [02:44:16] ashley: https://gerrit.wikimedia.org/r/#/c/331204 [02:45:23] looks good to me (but I can't +2) [02:49:55] yep, gotcha [02:50:08] you can +1 if you want, you don't have to though :P [02:59:41] {{done}} [03:07:35] Looks like I found someone who knows what they're doing in terms of the CapsuleMultiselectWidget :P [03:07:36] https://phabricator.wikimedia.org/T131492#2923360 [03:15:21] found a paatch that's interesting: https://gerrit.wikimedia.org/r/#/c/249453/ [03:55:55] ashley: Does ShoutWiki have any guidelines on using ShoutWiki's Phabricator, similar to how there's guides for Wikimedia Phabricator? [03:56:40] basically [[w:WP:Use common sense]] and [[m:Don't be a dick]], I'd say :P [03:57:21] sounds simple enough :P [18:23:43] morning ashley o/ (well, afternoon over there I think? :P ) how are you? :P [18:24:31] howdy :) I'm okay (save for the fact that I have a really early morning tomorrow, ugh); you? [18:25:56] i'm good, i just read your response on your talk page, thanks for the reply :D that practice was indeed quite helpful, so I'm going to find more extensions to code review as you suggested [18:26:09] \o/ awesome! [18:29:34] yep :D i'm hoping that I can find some :P (but also like if I do find a security issue, that'll be kind of scary at the same time :P ) [18:32:18] of course I wanna say "it's rare to find one" but the reality is most likely quite the opposite, in fact -- it's pretty safe to assume that most non-WMF-deployed extensions have some issues, and the ones written by inexperienced devs can have security issues, too; then again even some of us who have been around for ages make mistakes -- maybe not as simple as using raw SQL and forgetting to... [18:32:20] ...escape values, but I know for a fact that many of the security issues I found last year had been there for ages and somehow I managed to overlook 'em :/ [18:34:00] like this: https://gerrit.wikimedia.org/r/#/c/254293/ -- I'm happy that I found the issues and were able to fix 'em (all by myself, even ;), but I'm not happy about the issues being there and having gone unnoticed literally for years :-| [18:37:08] ah yeah, i think i somehow remember seeing that WikiCategoryTagCloud patch [18:38:21] (so why is https://github.com/wikimedia/mediawiki-extensions-QuizGame/blob/master/QuizGameLogFormatter.php existing, if you could submit a patch to the LogFormatter.php file on the getActionText() function? https://phabricator.wikimedia.org/diffusion/MW/browse/master/includes/logging/LogFormatter.php;d6423137639590a19580198429d7845388943e39$399 [18:39:39] (okay well, I should probably look at a smaller extension, so let me find something else.. :P ) [18:42:09] quoth Tim Starling (IIRC) once again, "the wheels of change, they turn slowly", or as the case might be sometimes, not at all; I could try it but I have a feeling it'd get either -1'd or -2'd to hell; might nevertheless be worth it if someone would be able to tell me a better way to do it [18:43:36] ahh, OK [18:46:14] oh that reminds me, i found one of the files using the innerHTML() function several times in UserImages extension, but I forgot which file [18:48:25] (which I read about in https://www.mediawiki.org/wiki/DOM-based_XSS#Avoid ) [18:49:02] aye; don't worry too much about UserImages for the time being :) [18:49:50] ah, alright :) [18:57:44] is it a common convention to translate warnings and errors as well? I found https://www.mediawiki.org/wiki/API/Architecture_work/i18n#Warnings_and_errors, but I'm not sure if I should be looking out for hard-coded English warnings/errors [18:59:03] oh just api i18n stuff I guess, so not very important? [19:04:04] yeah, I personally don't care too much about API i18n; but in the stuff that the users see, there shouldn't be hard-coded strings [19:04:59] ah, OK [19:06:24] bbl in 45min-1½h or so; feel free to leave any questions/thoughts/etc. here and I'll reply to 'em when I get back :) [19:08:06] alright! sounds good [19:23:03] hey george [19:25:26] hi [19:45:43] ashley: Just found two isset()s in https://github.com/wikimedia/mediawiki-extensions-Petition/blob/master/SpecialPetition.php#L18 and Line 19 [19:45:53] Not sure what it's doing though? And I don't know how to rewrite it [19:53:32] oh wait, that's the ternary operator, it's like the shorter version of the if/else statement [20:08:18] https://gist.github.com/SamanthaNguyen/6a07285ce6cbdcf61d5f0b46ddddfcc6 [20:22:42] https://www.mediawiki.org/wiki/Manual:Coding_conventions/PHP#isset.28.29 mentions isset() (as well as empty() right above it), but I don't think it needs to be changed in the petition ext., it doesn't introduce a security vuln or anything [20:24:22] Ah, OK. I saw it in Security Checklist for Developers as well, and remembered that RandomUsersWithAvatars has the isset() function too [20:24:58] https://github.com/wikimedia/mediawiki-extensions-RandomUsersWithAvatars/commit/5e44442e4cbf7aa73b7a6e94565072c10dc0ea65 which was in this patch that you helped me out with :P [20:25:14] I'm guessing it's OK too? [20:27:31] I believe so, yeah; https://www.mediawiki.org/wiki/Security_checklist_for_developers#Any_user_input:_no_isset.21 uses pretty strong words without exactly giving a detailed rationale for it; also the part about register_globals no longer applies, because, as per [[mw:register_globals]] MW 1.24+ requires that setting to be disabled for MW to run [20:29:32] Yeah, I was a little confused about that part because it said "any use of the isset() function is frowned upon", so I was assuming there wasn't any exceptions or few exceptions [20:31:34] So, do you know why the part about isset() is there? it doesn't give any explanation [20:32:35] nope, sorry :-/ [20:33:24] ah that's alright [20:44:21] just realized the extension I submitted a patch to isn't actively maintained :P [20:44:45] welp it's okay, I'll just look for another extension [20:55:12] aye; you can still ask some of the people who have +2 access to the mediawiki/core repository to take a look at your changes, since they're able to +2 'em, too [20:56:34] ah alright [21:03:00] oh nvm, the author is still active (just found the author): https://phabricator.wikimedia.org/p/Pcoombe/ [21:35:49] ashley: https://phabricator.wikimedia.org/T146524 [21:36:05] er, https://phabricator.wikimedia.org/T146524#2927046 [21:37:08] aye, sounds good to me; I'd definitely suggest making it collapsible (&collapsed) by default :) [21:37:35] okay, just make sure to post your comment on the ticket, otherwise I might forget.. :P [21:40:57] {{done}} ;) [21:42:22] (y) [21:43:04] I'll start ammending that existing patch [21:45:58] can we safely remove https://github.com/wikimedia/mediawiki-extensions-ArticleFeedbackv5/blob/master/modules/jquery.articleFeedbackv5/jquery.articleFeedbackv5.utils.js#L237 ? [21:47:08] I mean, AFTv5 isn't supposed to provide browser support for IE6 or Firefox 2 :P and user agent sniffing isn't recommended [22:08:08] not sure; UA sniffing isn't recommended, that's true, but sometimes it's a necessary evil -- sometimes you don't want to test for capabilities but for a certain broken browser version or family or w/e; I suggest filing a ticket and/or testing it out -- IE6 and FF2 we can safely forget about but idk about the Android UA there; it's certainly a damn broad term likely to match all default... [22:08:10] ...Android browsers regardless of version (save for the Android devices which run Google's crapware and thus forced to use Chrome and whatnot) [22:15:34] alright, created: https://phabricator.wikimedia.org/T154882 [22:30:28] hmm ashley: what's the difference between $wfMsg() and $this->msg()? [22:30:45] Also, would I be right to follow the section shown at https://www.mediawiki.org/wiki/DOM-based_XSS#Use ? [22:32:00] * wfMessage; wfMessage() and $this->msg() are for all purposes identical, but you're supposed to use $this->msg() in cases where you have a RequestContext available (such as inside a SpecialPage, Pager, etc.) and only use wfMessage when you don't have a RequestContext (e.g. static/hooked functions) [22:32:18] (wfMsg() was an old i18n function which no longer exists and has been replaced by the Message class, i.e. wfMessage()/$this->msg()) [22:34:22] ah kk, thanks :) [22:46:38] also the security page seems reasonable to me [22:53:25] alright cool, thanks for checking! [23:01:51] blah, the jquery.articleFeedbackv5.special.js script is almost 2000+ lines long [23:02:52] *is almost 2000 lines long (1935 to be exact) [23:09:25] what a pain in the ass to scour through the whole file for removing the rest of the other tooltip JS so there isn't any technical debt left behind [23:10:08] it's better than keeping that technical debt there forever though ;-) [23:26:55] that's the spirit :D [23:49:24] just found a neat little gem: http://htmlcolorcodes.com/color-names/ [23:50:24] well, the whole site is useful :P