Page MenuHomePhabricator
Files F14798

file_71394.txt
acl*security
Actions

Authored By
bzimport
Nov 22 2014, 3:46 AM
Size
1 KB
Referenced Files
None
Subscribers
None

file_71394.txt
View Options

commit b26cc5d0f678c93215389fa5458a957034820bb1
Author: Brian Wolff <bawolff+wn@gmail.com>
Date: Sun Sep 28 16:16:39 2014 -0300
Make < and > be escaped in attribute values in Html::expandAttributes
This makes the code just use Sanitizer::encodeAttribute, which in
addition to that, also escapes single quote marks.
Change-Id: I4895d2b489d62e27cf033835e3b49f069fbd7b48
diff --git a/includes/Html.php b/includes/Html.php
index 1e16e39..be009f1 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -544,30 +544,10 @@ class Html {
$ret .= " $key=\"\"";
}
} else {
- // Apparently we need to entity-encode \n, \r, \t, although the
- // spec doesn't mention that. Since we're doing strtr() anyway,
- // and we don't need <> escaped here, we may as well not call
- // htmlspecialchars().
- // @todo FIXME: Verify that we actually need to
- // escape \n\r\t here, and explain why, exactly.
- #
- // We could call Sanitizer::encodeAttribute() for this, but we
- // don't because we're stubborn and like our marginal savings on
- // byte size from not having to encode unnecessary quotes.
- $map = array(
- '&' => '&amp;',
- '"' => '&quot;',
- "\n" => '&#10;',
- "\r" => '&#13;',
- "\t" => '&#9;'
- );
- if ( $wgWellFormedXml ) {
- // This is allowed per spec: <http://www.w3.org/TR/xml/#NT-AttValue>
- // But reportedly it breaks some XML tools?
- // @todo FIXME: Is this really true?
- $map['<'] = '&lt;';
- }
- $ret .= " $key=$quote" . strtr( $value, $map ) . $quote;
+ // Note: It's important to encode < and >, even if its not
+ // required in this context, due to how language converter
+ // works.
+ $ret .= " $key=$quote" . Sanitizer::encodeAttribute( $value ) . $quote;
}
}
return $ret;

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
14199
Default Alt Text
file_71394.txt (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL