r57182 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r57181‎ \| r57182 \| r57183 >
Date:	01:30, 1 October 2009
Author:	simetrical
Status:	ok
Tags:
Comment:	Escape '<' in attribute values for well-formed XML This fixes r56407, which fixed bug 20655. Now $wgWellFormedXml is used, not $wgHtml5. The previous code was outputting malformed XML if $wgHtml5 and $wgWellFormedXml were both true. I wish we had unit tests for this. :(
Modified paths:	/trunk/phase3/includes/Html.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/Html.php
—	—	@@ -353,17 +353,23 @@
354	354	# and we don't need <> escaped here, we may as well not call
355	355	# htmlspecialchars(). FIXME: verify that we actually need to
356	356	# escape \n\r\t here, and explain why, exactly.
357		~~- if ( $wgHtml5 ) {~~
358		~~- $ret .= " $key=$quote" . strtr( $value, array(~~
359		~~- '&' => '&',~~
360		~~- '"' => '"',~~
361		~~- "\n" => ' ',~~
362		~~- "\r" => ' ',~~
363		~~- "\t" => ' '~~
364		~~- ) ) . $quote;~~
365		~~- } else {~~
366		~~- $ret .= " $key=$quote" . Sanitizer::encodeAttribute( $value ) . $quote;~~
	357	+ #
	358	+ # We could call Sanitizer::encodeAttribute() for this, but we
	359	+ # don't because we're stubborn and like our marginal savings on
	360	+ # byte size from not having to encode unnecessary quotes.
	361	+ $map = array(
	362	+ '&' => '&',
	363	+ '"' => '"',
	364	+ "\n" => ' ',
	365	+ "\r" => ' ',
	366	+ "\t" => ' '
	367	+ );
	368	+ if ( $wgWellFormedXml ) {
	369	+ # '<' must be escaped in attributes for XML for some
	370	+ # reason, per spec: http://www.w3.org/TR/xml/#NT-AttValue
	371	+ $map['<'] = '<';
367	372	}
	373	+ $ret .= " $key=$quote" . strtr( $value, $map ) . $quote;
368	374	}
369	375	}
370	376	return $ret;

Revision	Commit summary	Author	Date
r56407	(bug 20655) If $wgHtml5 is false, run attribute values through Sanitizer::enc...	mrzman	05:29, 16 September 2009

19:34, 1 October 2009 Brion VIBBER (talk | contribs) changed the status of r57182 [removed: new added: ok]