r106452 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r106451‎ \| r106452 \| r106453 >
Date:	18:09, 16 December 2011
Author:	jeroendedauw
Status:	resolved (Comments)
Tags:
Comment:	Follow up to r101940; fix escape fail
Modified paths:	/trunk/extensions/Contest/specials/SpecialContest.php (modified) (history)

Diff [purge]

Index: trunk/extensions/Contest/specials/SpecialContest.php
—	—	@@ -303,7 +303,7 @@
304	304	$this->getOutput()->addHTML(
305	305	'<fieldset>' .
306	306	'<legend>' . wfMsgHtml( 'contest-contest-showonly' ) . '</legend>' .
307		~~- '<form method="post" action="' . $GLOBALS['wgScript'] . '?title=' . $title . '">' .~~
	307	+ '<form method="post" action="' . htmlspecialchars( $GLOBALS['wgScript'] . '?title=' . $title ) . '">' .
308	308	Html::hidden( 'title', $title ) .
309	309	$this->getDropdownHTML(
310	310	'challenge',

Revision	Commit summary	Author	Date
r106713	Follow up to r106452; proper escape	jeroendedauw	22:31, 19 December 2011
r106838	MFT r106452, r106603, r106708, r106709, r106713, r106714	reedy	19:15, 20 December 2011

Revision	Commit summary	Author	Date
r101940	added filter options for the contestant list	jeroendedauw	01:25, 4 November 2011

#Comment by Catrope (talk | contribs) 22:03, 19 December 2011

You need to escape $title too.

#Comment by Jeroen De Dauw (talk | contribs) 22:10, 19 December 2011

You are misreading the code I think, it's within the escaping call.

#Comment by Platonides (talk | contribs) 22:13, 19 December 2011

What if $title was 'Contest & friends' ?

#Comment by Jeroen De Dauw (talk | contribs) 22:31, 19 December 2011

Then you prove I was sleeping when making this commit :) Fixed in follow up.

22:34, 19 December 2011 Catrope (talk | contribs) changed the status of r106452 [removed: new added: resolved]
22:10, 19 December 2011 Jeroen De Dauw (talk | contribs) changed the status of r106452 [removed: fixme added: new]
22:03, 19 December 2011 Catrope (talk | contribs) changed the status of r106452 [removed: new added: fixme]