Extension talk:Flattr

Annotations to version 0.7
// Check sanity on $wgFlattrForceUserid if (!isset($wgFlattrForceUserid) || $wgFlattrForceUserid != true || $wgFlattrForceUserid != false) { $wgFlattrForceUserid = false; } No matter what value (and type of this value) you compare to both true or false, it always will result in one true and one false, so the result is always true. If you want a comparision that assures the type is boolean you have to use a type-safe comparion operator === or !==. But what are you afraid of to make such a check? Just use $wgFlattrForceUserid = !empty($wgFlattrForceUserid); instead of the code above to force a boolean value. results to true for both not existing variables and values evaluating to false, so the negation is necessary. if (isset($args['url']) && !isset($args['uid'])) { return ...; } else { ... } Because if the condition ist true you will leave the current scope, so you don't need to protect the otherwise-code from execution with an else block encapsulation. $out = ""; $out .= "". PHP_EOL; is the same but longer as $out = ''. PHP_EOL; if (isset($wgFlattrUserid) && $wgFlattrUserid > 0 && (true === $wgFlattrForceUserid || !isset($args['uid']))) { $out .= "var flattr_uid = '". $wgFlattrUserid. "';" . PHP_EOL; Maybe you trust the admin that the content of  is safe, but I wouldn't rely on it.
 * Concering:
 * The following is a useless use of.
 * Don't style errors yourself. There is a rule for .error in a common CSS file, so you only need a.
 * A wrong value for  should generate an error message, not change silently to  . Or even better: implement both an error message and a forceLanguage option (for single language wikis).
 * It doesn't cost a lot of execution time but it's not necessary to initialize $out if you unconditionally assign a value to it just in the next line.
 * If you use  to ensure   is boolean you can shorten the next line a bit
 * Do not apply  to input values. Typically you will operate in your script with raw values. Apply it just before or while creating the output. If you always place   to the output you won't miss lines like this:

In addition, Javascript as content of is not HTML, so you have to escape regarding the JS rules not the HTML rules. Quote from the HTML4.01 spec. : “Although the STYLE and SCRIPT elements use CDATA for their data model, for these elements, CDATA must be handled differently by user agents. Markup and entities must be treated as raw text and passed to the application as is.” - Due to this rule  applied to a URL containing an   in a JS context results in the string   and no HTML parser will resolve this to a raw , so the resulting URL ist broken.

Unfortunately there is no function to escape values for JS strings in PHP, but you can use this one:

function wgFlattrJsEscape($value) { return strtr((string)$value, array( "'"    => '\\\'',     '"'     => '\"',     '\\'    => '\\\\',     "\n"    => '\n', "\r"   => '\r', "\t"   => '\t', chr(12) => '\f', chr(11) => '\v', chr(8) => '\b', ' '\u003c\u002F', )); }

if (isset($args['url'])) { $out .= "var flattr_tag = '". $args['url']. "';" . PHP_EOL; } Should be  instead of ..._tag.
 * And a copy&paste error: