Index: trunk/phase3/includes/api/ApiFormatBase.php |
— | — | @@ -158,8 +158,11 @@ |
159 | 159 | * This method also replaces any '<' with < |
160 | 160 | */ |
161 | 161 | protected function formatHTML($text) { |
162 | | - // encode all tags as safe blue strings |
163 | | - $text = ereg_replace('\<([^>]+)\>', '<span style="color:blue;"><\1></span>', $text); |
| 162 | + // Escape everything first for full coverage |
| 163 | + $text = htmlspecialchars($text); |
| 164 | + |
| 165 | + // encode all comments or tags as safe blue strings |
| 166 | + $text = preg_replace('/\<(!--.*?--|.*?)\>/', '<span style="color:blue;"><\1></span>', $text); |
164 | 167 | // identify URLs |
165 | 168 | $protos = "http|https|ftp|gopher"; |
166 | 169 | $text = ereg_replace("($protos)://[^ \\'\"()<\n]+", '<a href="\\0">\\0</a>', $text); |
Index: trunk/phase3/RELEASE-NOTES |
— | — | @@ -44,6 +44,7 @@ |
45 | 45 | editinterface to a new permission key editusercssjs. |
46 | 46 | * (bug 11266) Set fallback language for Fulfulde (ff) to French |
47 | 47 | * (bug 11179) Include image version deletion comment in public log |
| 48 | +* (bug 11158) Fix escaping in API HTML-formatted JSON |
48 | 49 | |
49 | 50 | |
50 | 51 | === API changes in 1.12 === |
Index: trunk/extensions/BotQuery/query.php |
— | — | @@ -2607,8 +2607,11 @@ |
2608 | 2608 | */ |
2609 | 2609 | function htmlPrinter( $text ) |
2610 | 2610 | { |
2611 | | - // encode all tags as safe blue strings |
2612 | | - $text = ereg_replace( '\<([^>]+)\>', '<font color=blue><\1></font>', $text ); |
| 2611 | + // Escape everything first for full coverage |
| 2612 | + $text = htmlspecialchars($text); |
| 2613 | + |
| 2614 | + // encode all comments or tags as safe blue strings |
| 2615 | + $text = preg_replace('/\<(!--.*?--|.*?)\>/', '<span style="color:blue;"><\1></span>', $text); |
2613 | 2616 | // identify URLs |
2614 | 2617 | $text = ereg_replace("[a-zA-Z]+://[^ '()<\n]+", '<a href="\\0">\\0</a>', $text); |
2615 | 2618 | // identify requests to query.php |