Page MenuHomePhabricator

The "block" link shown to sysops in RecentChanges doesn't url-escape the username
Closed, ResolvedPublic


Author: justdave

<justdave> the "block" link in recent changes seems to not escape usernames with
& in them
<justdave> user had a username of "Fish&chips"
<justdave> he vandalized a bunch of pages
<justdave> I clicked block next to his last entry on Recent Changes and got a
box with "Fish" filled in as the username
<brion> can you show me the link?

Version: 1.4.x
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 8:45 PM
bzimport set Reference to bz3220.

Created attachment 824
Fix; checked in on ChangesList.php revision 1.24

This fix applies cleanly to 1.4 and 1.5, and has been checked in on REL1_4 and
REL1_5 release branches.