r106452 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r106451‎ | r106452 | r106453 >
Date:18:09, 16 December 2011
Author:jeroendedauw
Status:resolved (Comments)
Tags:
Comment:
Follow up to r101940; fix escape fail
Modified paths:
  • /trunk/extensions/Contest/specials/SpecialContest.php (modified) (history)

Diff [purge]

Index: trunk/extensions/Contest/specials/SpecialContest.php
@@ -303,7 +303,7 @@
304304 $this->getOutput()->addHTML(
305305 '<fieldset>' .
306306 '<legend>' . wfMsgHtml( 'contest-contest-showonly' ) . '</legend>' .
307 - '<form method="post" action="' . $GLOBALS['wgScript'] . '?title=' . $title . '">' .
 307+ '<form method="post" action="' . htmlspecialchars( $GLOBALS['wgScript'] . '?title=' . $title ) . '">' .
308308 Html::hidden( 'title', $title ) .
309309 $this->getDropdownHTML(
310310 'challenge',

Follow-up revisions

RevisionCommit summaryAuthorDate
r106713Follow up to r106452; proper escapejeroendedauw22:31, 19 December 2011
r106838MFT r106452, r106603, r106708, r106709, r106713, r106714reedy19:15, 20 December 2011

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r101940added filter options for the contestant listjeroendedauw01:25, 4 November 2011

Comments

#Comment by Catrope (talk | contribs)   22:03, 19 December 2011

You need to escape $title too.

#Comment by Jeroen De Dauw (talk | contribs)   22:10, 19 December 2011

You are misreading the code I think, it's within the escaping call.

#Comment by Platonides (talk | contribs)   22:13, 19 December 2011

What if $title was 'Contest & friends' ?

#Comment by Jeroen De Dauw (talk | contribs)   22:31, 19 December 2011

Then you prove I was sleeping when making this commit :) Fixed in follow up.

Status & tagging log