Page MenuHomePhabricator
Files F4326062

T125163-REL1_27
No One
Actions

Authored By
Bawolff
Aug 1 2016, 12:19 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T125163-REL1_27
View Options

From 98ea750700ba550f0b2308b574831e3c8f407c32 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Thu, 28 Jan 2016 18:04:01 -0500
Subject: [PATCH] Make anchor for headlines escape > and <
As a hardening step against language converter and its crazy regexes.
Change-Id: I0d253611fbb8d12cb5c937e36fdb122efe186943
---
includes/Linker.php | 2 ++
1 file changed, 2 insertions(+)
diff --git a/includes/Linker.php b/includes/Linker.php
index 5717fba..5951788 100644
--- a/includes/Linker.php
+++ b/includes/Linker.php
@@ -1799,11 +1799,13 @@ class Linker {
public static function makeHeadline( $level, $attribs, $anchor, $html,
$link, $legacyAnchor = false
) {
+ $anchor = htmlspecialchars( $anchor );
$ret = "<h$level$attribs"
. "<span class=\"mw-headline\" id=\"$anchor\">$html</span>"
. $link
. "</h$level>";
if ( $legacyAnchor !== false ) {
+ $legacyAnchor = htmlspecialchars( $legacyAnchor );
$ret = "<div id=\"$legacyAnchor\"></div>$ret";
}
return $ret;
--
1.9.5 (Apple Git-50.3)

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3896757
Default Alt Text
T125163-REL1_27 (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL