Page MenuHomePhabricator
Files F16330

bug71394-REL1_24_REL1_23_REL1_22.patch
Mglaser (mglaser)
Actions

Authored By
Mglaser
Nov 26 2014, 1:23 PM
Size
1 KB
Referenced Files
None
Subscribers
None

bug71394-REL1_24_REL1_23_REL1_22.patch
View Options

From ebf718f48759d1c745b509fe81e6bdcb7ce9951e Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Sun Sep 28 16:16:39 2014 -0300
Subject: [PATCH] SECURITY: Make < and > be escaped in attribute values in Html::expandAttributes
This makes the code just use Sanitizer::encodeAttribute, which in
addition to that, also escapes single quote marks.
Change-Id: I4895d2b489d62e27cf033835e3b49f069fbd7b48
---
includes/Html.php | 28 ++++------------------------
1 file changed, 4 insertions(+), 24 deletions(-)
diff --git a/includes/Html.php b/includes/Html.php
index 1e16e39..be009f1 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -544,30 +544,10 @@ class Html {
$ret .= " $key=\"\"";
}
} else {
- // Apparently we need to entity-encode \n, \r, \t, although the
- // spec doesn't mention that. Since we're doing strtr() anyway,
- // and we don't need <> escaped here, we may as well not call
- // htmlspecialchars().
- // @todo FIXME: Verify that we actually need to
- // escape \n\r\t here, and explain why, exactly.
- #
- // We could call Sanitizer::encodeAttribute() for this, but we
- // don't because we're stubborn and like our marginal savings on
- // byte size from not having to encode unnecessary quotes.
- $map = array(
- '&' => '&amp;',
- '"' => '&quot;',
- "\n" => '&#10;',
- "\r" => '&#13;',
- "\t" => '&#9;'
- );
- if ( $wgWellFormedXml ) {
- // This is allowed per spec: <http://www.w3.org/TR/xml/#NT-AttValue>
- // But reportedly it breaks some XML tools?
- // @todo FIXME: Is this really true?
- $map['<'] = '&lt;';
- }
- $ret .= " $key=$quote" . strtr( $value, $map ) . $quote;
+ // Note: It's important to encode < and >, even if its not
+ // required in this context, due to how language converter
+ // works.
+ $ret .= " $key=$quote" . Sanitizer::encodeAttribute( $value ) . $quote;
}
}
return $ret;
--
1.9.2.msysgit.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
15696
Default Alt Text
bug71394-REL1_24_REL1_23_REL1_22.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL