r114191 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r114190‎ | r114191 | r114192 >
Date:21:37, 19 March 2012
Author:awjrichards
Status:reverted (Comments)
Tags:
Comment:
htmlspecialchars -> Xml::escapeJsString
Modified paths:
  • /trunk/extensions/MobileFrontend/templates/SearchTemplate.php (modified) (history)

Diff [purge]

Index: trunk/extensions/MobileFrontend/templates/SearchTemplate.php
@@ -8,14 +8,14 @@
99
1010 public function getHTML() {
1111
12 - $searchField = htmlspecialchars( $this->data['searchField'] );
 12+ $searchField = Xml::escapeJsString( $this->data['searchField'] );
1313 $mainPageUrl = $this->data['mainPageUrl'];
1414 $randomPageUrl = $this->data['randomPageUrl'];
1515 $homeButton = $this->data['messages']['mobile-frontend-home-button'];
1616 $randomButton = $this->data['messages']['mobile-frontend-random-button'];
17 - $clearText = htmlentities( $this->data['messages']['mobile-frontend-clear-search'], ENT_QUOTES );
 17+ $clearText = Xml::escapeJsString( $this->data['messages']['mobile-frontend-clear-search'] );
1818 $searchValue = $this->data['messages']['mobile-frontend-search-submit'];
19 - $placeholder = htmlentities( $this->data['messages']['mobile-frontend-placeholder'], ENT_QUOTES );
 19+ $placeholder = Xml::escapeJsString( $this->data['messages']['mobile-frontend-placeholder'] );
2020
2121 $scriptUrl = wfScript();
2222 $searchBoxDisplayNone = ( $this->data['hideSearchBox'] ) ? ' style="display: none;" ' : '';

Follow-up revisions

RevisionCommit summaryAuthorDate
r114207MFT r114177, r114184, r114190, r114191, r114193awjrichards22:28, 19 March 2012
r114683Bug 35673 - XSS vulnerability in mobile searchreedy17:53, 3 April 2012

Comments

#Comment by Preilly (talk | contribs)   18:01, 3 April 2012

Xml::escapeJsString() is for escaping data to be included in JS, it's not suitable for HTML.

#Comment by MaxSem (talk | contribs)   18:04, 3 April 2012

Fixed in https://gerrit.wikimedia.org/r/#change,4191

Status & tagging log