In T186726: Security review WikibaseLexeme extension the Application Security Reviews team stumbled across hard-coded demo data in the Lexeme code base. Before T168260: Deploy WikibaseLexeme extension on Wikimedia cluster these must all be removed, and possibly replaced with proper implementations:
- Everything in the directory src/DemoData and also LexemeContent.php:
- AskOut1Populator, AskOut2Populator, AskOut3Populator, HardLexemePopulator, LeiterLexemePopulator, and usages:
- Currently exclusively used in LexemeContent.
- Id.php is a set of constants.
- Used in above populators.
- Also directly used in LexemeContent.
- AskOut1Populator, AskOut2Populator, AskOut3Populator, HardLexemePopulator, LeiterLexemePopulator, and usages:
- FormIdFormatter.php and SenseIdFormatter.php are basically nothing but dummies with hard-coded demo-data.
- The formatter should just display the ID (as a string).
- resources/experts/Form.js and resources/experts/Sense.js contain the same demo data.