The new code has a smaller markup fingerprint (no more inline event
Javascript attributes) and it also ports the outer-click-dismiss
functionality over from the wiki. It raises the Javascript engine
requirements to IE 9 and later, though, which is inline with the home
page code.
Some refactoring and a lot of code changes are involved in this.
Basically, wmlunits has always fully trusted its WML input. This has
several implications:
* URLs such as the ones for unit detail views tend to contain
unescaped characters which are forbidden in URLs, such as spaces.
While browsers generally tolerate this well, the result is still
invalid HTML. The same applies to URLs used for inline CSS (e.g.
background-image).
* Most information read from WML such as unit names, descriptions,
campaign names, era names, and so on, was blindly trusted and could
allow an attacker to inject malicious HTML into units.wesnoth.org by
uploading an add-on that would pass the units.wesnoth.org build
process.
The resulting code might not be extent of regressions, but hopefully
we'll identify them quickly. This commit contains some additional noise
in the form of style fixes around offending lines as well. Backporting
to 1.12 is, as far as I understand, unnecessary since units.wesnoth.org
uses the master branch version of wmlunits, but it might be worth
evaluating whether to issue a warning for the 1 person in the world who
might be running the 1.12 version of the units.wesnoth.org toolchain on
their own facilities (okay, let's face it, nobody would ever do that).
* There is now a link back to units.wesnoth.org on the navbar preceding
Home.
* The mulitplication sign is used for attack stats to match 1.13.x.
* Made the Terrain table in the unit detail pages a bit more proper
markup-wise.
* Advances from/to on the unit detail page displays a dash when empty
and also has a comma-separated list of unit links in it. The same goes
for the abilities list.
The language menu gets to stay as a <div> containing a table for now
since doing columns with lists is still not that well supported across
browsers (as well as the CSS columns spec as a whole -- too many legacy
browsers floating around).
Using the original paths given in WML as alt-text does not serve any
purpose other than breaking the layout when the page hasn't finished
loading and half the icons are overlong text. If anyone really needs
those they should use a data attribute instead. The alt attribute is for
accessibility, not for making programmers happy with themselves.
* Relabeled the "Notes" column to "Translations" since that's what it
really is.
* Replaced the Download label with an icon and moved it to the add-on
names column.
* Restyled add-on version/author a bit.
* Add-on type is now more or less aligned to the middle of the icon
(regardless of what the cell height actually is -- there can be extra
empty space below the type line if the add-on title is too long, for
instance).
This also adds SVG icons to be used in table headers instead of GIF
images for browsers that support SVG in background-image. It makes
things scale better for high DPI screens.
This escapes all strings provided by add-ons server data to guarantee
they can't be used to get extraneous and potentially harmful HTML into
the generated web index.
However, and because I don't have time to look into the dense regex
contained in the relevant code right now, it also removes the hidden
feature of linkifying any URLs found in add-on descriptions. It's a
small price to pay for our safety, really.
fixup for 3d63f66dbb
After this commit, all the wmlparser tests pass (including the new one) and the issue stated in #907 has also been verified to be fixed.
