Page MenuHomePhabricator
Files F34960379

0001-SECURITY-HTML-escape-string-values.patch
Lucas_Werkmeister_WMDE (Lucas Werkmeister (WMDE))
Actions

Authored By
Lucas_Werkmeister_WMDE
Feb 21 2022, 10:04 AM
Size
813 B
Referenced Files
None
Subscribers
None

0001-SECURITY-HTML-escape-string-values.patch
View Options

From 7a20ee77ad35c36d4824c59e17f88d445f8e5f65 Mon Sep 17 00:00:00 2001
From: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
Date: Mon, 21 Feb 2022 10:54:08 +0100
Subject: [PATCH] SECURITY: HTML-escape string values
Bug: T302192
---
includes/JCTabularContentView.php | 2 ++
1 file changed, 2 insertions(+)
diff --git a/includes/JCTabularContentView.php b/includes/JCTabularContentView.php
index b5aa8fd..87c32ce 100644
--- a/includes/JCTabularContentView.php
+++ b/includes/JCTabularContentView.php
@@ -132,6 +132,8 @@ public function valueToHtml(
} elseif ( $column === null ) {
$header['class'] = 'mw-tabular-value-null';
$column = '';
+ } else {
+ $column = htmlspecialchars( $column );
}
$vals[] = Html::rawElement( 'td', $header, $column );
}
--
2.32.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9350975
Default Alt Text
0001-SECURITY-HTML-escape-string-values.patch (813 B)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL