Author: michal
Description:
formatNum output is not escaped in many places in MediaWiki, but as Nikerabbit suggested formatNum doesn't necessarily return escaped string. Although there is no language that uses <, > or & as digit or digit separator, we should either escape formatNum or check if there are no special characters in language file (separatorTransformTable, digitTransformTable).
Version: 1.22.0
Severity: minor
Regarding the process, we need a clear criteria when this bug can be closed, for example a list of all offending cases (keeping in mind that not all formatNum calls are for html output).
(In reply to comment #0)
formatNum output is not escaped in many places in MediaWiki, but as
Nikerabbit
suggested formatNum doesn't necessarily return escaped string. Although there
is no language that uses <, > or & as digit or digit separator, we should
either escape formatNum or check if there are no special characters in
language
file (separatorTransformTable, digitTransformTable).
Just to clarify, this is referring to html escaping, not wikitext escaping. (Just reading the bug title made me think this was like the issue with a pagename starting with a *).