| Index: trunk/phase3/js2/mwEmbed/jsScriptLoader.php |
| — | — | @@ -46,9 +46,9 @@ |
| 47 | 47 | } |
| 48 | 48 | |
| 49 | 49 | // setup script loader header info |
| 50 | | - $this->jsout .= 'var mwSlScript = "' . $_SERVER['SCRIPT_NAME'] . '";' . "\n"; |
| | 50 | + $this->jsout .= 'var mwSlScript = "' . htmlspecialchars( $_SERVER['SCRIPT_NAME'] ) . '";' . "\n"; |
| 51 | 51 | $this->jsout .= 'var mwSlGenISODate = "' . date( 'c' ) . '";' ."\n"; |
| 52 | | - $this->jsout .= 'var mwSlURID = "' . $this->urid . '";' ."\n"; |
| | 52 | + $this->jsout .= 'var mwSlURID = "' . htmlspecialchars( $this->urid ) . '";' ."\n"; |
| 53 | 53 | // Build the output: |
| 54 | 54 | // swap in the appropriate language per js_file |
| 55 | 55 | foreach( $this->jsFileList as $classKey => $file_name ){ |
| — | — | @@ -79,6 +79,11 @@ |
| 80 | 80 | continue; |
| 81 | 81 | } |
| 82 | 82 | } else { |
| | 83 | + //make sure the wiki title ends with .js |
| | 84 | + if( substr( $title_block, -3 ) != '.js'){ |
| | 85 | + $this->error_msg .= 'WikiTitle includes should end with .js'; |
| | 86 | + continue; |
| | 87 | + } |
| 83 | 88 | // it's a wikiTitle append the output of the wikitext: |
| 84 | 89 | $t = Title::newFromText( $title_block ); |
| 85 | 90 | $a = new Article( $t ); |
| — | — | @@ -92,11 +97,11 @@ |
| 93 | 98 | //dealing with files:: |
| 94 | 99 | //check that the filename ends with .js and does not include ../ traversing |
| 95 | 100 | if( substr( $file_name, -3 ) != '.js'){ |
| 96 | | - $this->jsout .= "\nError file name must end with .js: ". htmlspecialchars( $file_name ) . " \n "; |
| | 101 | + $this->error_msg .= "\nError file name must end with .js: ". htmlspecialchars( $file_name ) . " \n "; |
| 97 | 102 | continue; |
| 98 | 103 | } |
| 99 | 104 | if( strpos($file_name, '../') !== false ){ |
| 100 | | - $this->jsout .= "\nError file name must not traverse paths: ". htmlspecialchars( $file_name ) . " \n "; |
| | 105 | + $this->error_msg .= "\nError file name must not traverse paths: ". htmlspecialchars( $file_name ) . " \n "; |
| 101 | 106 | continue; |
| 102 | 107 | } |
| 103 | 108 | |
| — | — | @@ -205,7 +210,7 @@ |
| 206 | 211 | $this->jsFileList[$reqClass] = $wgJSAutoloadClasses[$reqClass]; |
| 207 | 212 | $this->rKey.= $reqClass; |
| 208 | 213 | } else { |
| 209 | | - $this->error_msg.= 'Requested class: ' . $reqClass . ' not found' . "\n"; |
| | 214 | + $this->error_msg.= 'Requested class: ' . htmlspecialchars( $reqClass ) . ' not found' . "\n"; |
| 210 | 215 | } |
| 211 | 216 | } |
| 212 | 217 | } |
| — | — | @@ -288,7 +293,7 @@ |
| 289 | 294 | return 'loadGM( ' . json_encode( $jmsg ) . ')'; |
| 290 | 295 | } else { |
| 291 | 296 | $this->error_msg.= "Could not parse JSON language msg in File:\n" . |
| 292 | | - $this->cur_file . "\n"; |
| | 297 | + htmlspecialchars ( $this->cur_file ) . "\n"; |
| 293 | 298 | } |
| 294 | 299 | // could not parse json (throw error?) |
| 295 | 300 | return $jvar[0]; |