Project reviewed. xss bug fixed.

SolidKalium · SolidKalium · commit a0cfaaef6367 · 2026-03-15T21:37:31.000-04:00
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -2,6 +2,16 @@
 
 This project has a small local build step for generating distributable artifacts without requiring a MediaWiki instance.
 
+Documentation exists in three places:
+* [README.md](README.md), [specifications.md](specifications.md), and [DEVELOPMENT.md](DEVELOPMENT.md)
+* [Template:InlineDateTime/doc](gadget/Template_InlineDateTime_doc.wikitext)
+* The demo page
+
+Testing has three available parts:
+* The demo page
+* Lua test suite
+* Manual integration testing with a prepared docker file
+
 ## Build artifacts
 
 Run:
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ This is a Mediawiki gadget for game wikis with a few game servers in different t
 
 This gadget will format times and timespans as inline text with a tooltip (accessible on hover or tap) that translates the time to the user's local time. The information is kept minimal for compactness but expansion occurs as needed for precision.
 
-[Demo page](https://solidkalium.github.io/inline-datetime/)
+**[See our demo page!](https://solidkalium.github.io/inline-datetime/)**
 
 Example tooltip:
 
@@ -20,7 +20,7 @@ Example tooltip:
   * Single moment across servers (e.g. `04:00 +8`): usually server maintenance
     * Inline text: user's timezone
     * Tooltip: servers' timezones
-  * Same server time across servers (e.g. `04:00 server`): usually daily & weekly resets
+  * Same server time across servers (e.g. `04:00`): usually daily & weekly resets
     * Inline text: the server-relative time
     * Tooltip: when each server observes that time, according to the user's timezone
 * Single times or timespans (can mix and match date kinds)
@@ -30,10 +30,12 @@ Example tooltip:
 * Basic default text to display when Javascript is disabled
 * Basic semantic HTML classes to enable custom css
 * Auto-deduplicating things like the year or day when it is the same for the whole timespan in the user's timezone.
-* Provides [[Category:Pages with InlineDateTime errors]]
+* Dynamic content added via `mw.hook('wikipage.content')` is handled automatically
+* Provides `[[Category:Pages with InlineDateTime errors]]`
 
 **Known issues:**
 * The no-JS fallback text is not styled and doesn't deduplicate as well as the JS code.
+* The server agnostic description isn't moved into the tooltip when there is a raw text override.
 
 **Not supported:**
 * Languages other than English
@@ -50,6 +52,8 @@ Example tooltip:
   * But: you can use a raw text override
 * Disable tooltip (other than by disabling js)
 * Support for showing seconds. We assume everything is minute-aligned.
+* Support for entering days without hours and minutes.
+* Support for compact inline text that removes the hours and minutes but leaves them in the tooltip.
 * Tooling for locating date-like entries on pages that haven't been wrapped in the template.
 * PHP time parsing `{{time:}}`
   * This is intentional to prevent silent errors. If someone writes something like "from maintenance until Mar 29 reset" would likely be collapsed to March 29 of either the current or next year. If there's a good reason to support "second tuesday of last month + 10 seconds" then this could change.
diff --git a/TODO.md b/TODO.md
@@ -6,6 +6,7 @@
   * Include style classes?
     * This could interfere with the current no-JS demo
 * audit code for readability and obviousness
+* Re-organize "supported" and "not-supported" notes in README
 
 ## Later
 
diff --git a/gadget/Module_InlineDateTime.lua b/gadget/Module_InlineDateTime.lua
@@ -93,6 +93,8 @@ local function formatFallback(parsed)
     local parts = {}
     table.insert(parts, monthStr .. ' ' .. d)
     -- Include year only if it's not the current year
+    -- '!' gives UTC time; the year may differ from local wiki time around UTC midnight
+    -- on Jan 1, but this is acceptable for a no-JS fallback.
     local currentYear = os.date('!%Y')
     if y ~= currentYear then
         table.insert(parts, y)
@@ -219,7 +221,7 @@ function p.main(frame)
 
     -- Assemble the span
     local attrStr = table.concat(dataAttrs, ' ')
-    return '<span class="dt-inline" ' .. attrStr .. '>' .. display .. '</span>'
+    return '<span class="dt-inline" ' .. attrStr .. '>' .. htmlEscape(display) .. '</span>'
 end
 
 return p
diff --git a/gadget/inline-datetime.js b/gadget/inline-datetime.js
@@ -101,6 +101,10 @@
     function getFormatter(cacheKey, options, locale) {
         if (!FORMATTER_CACHE[cacheKey]) {
             FORMATTER_CACHE[cacheKey] = new Intl.DateTimeFormat(
+                // Use arguments.length rather than `locale || 'en-US'` because
+                // passing explicit undefined still satisfies ||, so the browser
+                // locale would never be reached. Callers omit the argument for
+                // en-US and pass undefined for the browser's locale.
                 arguments.length < 3 ? 'en-US' : locale,
                 options
             );
diff --git a/scripts/build_artifacts.py b/scripts/build_artifacts.py
@@ -220,8 +220,8 @@ def render_test_cases() -> tuple[str, str]:
 
 
 def mw_code_from_args(args: dict) -> str:
-    """Build a {{dt|...}} template call string from an args dict."""
-    parts = ["{{dt"]
+    """Build a {{IDT|...}} template call string from an args dict."""
+    parts = ["{{IDT"]
     for k, v in args.items():
         parts.append(f"|{k}={v}")
     parts.append("}}")
diff --git a/test/run_lua_tests.lua b/test/run_lua_tests.lua
@@ -86,6 +86,21 @@ run('soft error: html entities escaped in start input',
     'dt-error-soft',
     '&lt;script&gt;xss&lt;/script&gt;')
 
+run('soft error: html entities escaped in end input',
+    { start = '2026-03-12 06:00', ['end'] = '<script>xss</script>' },
+    'dt-error-soft',
+    '&lt;script&gt;xss&lt;/script&gt;')
+
+run('soft error: html entities escaped in raw input',
+    { start = 'bad-date', raw = '<script>xss</script>' },
+    'dt-error-soft',
+    '&lt;script&gt;xss&lt;/script&gt;')
+
+run('valid: html entities escaped in raw input',
+    { start = '2026-03-12 06:00', raw = '<script>xss</script>' },
+    'class="dt-inline"',
+    '&lt;script&gt;xss&lt;/script&gt;')
+
 -- ── Valid output: data attributes ─────────────────────────────────────────────
 
 run('valid: server time emits correct attributes',
diff --git a/test/test-cases.json b/test/test-cases.json
@@ -8,7 +8,7 @@
           "description_before": "Combat Drills for Tangtang is available from",
           "description_after": ".",
           "args": { "start": "2026-03-12 12:00", "end": "2026-03-29 12:00" },
-          "code": "{{dt|start=2026-03-12 12:00|end=2026-03-29 12:00}}",
+          "code": "{{IDT|start=2026-03-12 12:00|end=2026-03-29 12:00}}",
           "note": "Inline text shows \"(server)\" once at the end. Tooltip shows your local time per server."
         },
         {
@@ -57,14 +57,14 @@
             "end": "2026-03-29 04:00",
             "raw": "After maintenance until Mar 29 reset"
           },
-          "code": "{{dt|start=2026-03-12 12:00 +8|end=2026-03-29 04:00|raw=After maintenance until Mar 29 reset}}",
+          "code": "{{IDT|start=2026-03-12 12:00 +8|end=2026-03-29 04:00|raw=After maintenance until Mar 29 reset}}",
           "note": "Inline text stays exactly as provided. Tooltip should still be built from the datetime parameters."
         },
         {
           "title": "Raw text + single time + server filter",
           "description_before": "Asia-only schedule note:",
           "args": { "start": "2026-03-29 04:00", "server": "asia", "raw": "Asia server daily reset" },
-          "code": "{{dt|start=2026-03-29 04:00|server=asia|raw=Asia server daily reset}}",
+          "code": "{{IDT|start=2026-03-29 04:00|server=asia|raw=Asia server daily reset}}",
           "note": "Inline text should remain raw, and the tooltip should be limited to the specified server."
         }
       ]
