r77129 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r77128‎ \| r77129 \| r77130 >
Date:	02:39, 23 November 2010
Author:	tstarling
Status:	ok
Tags:
Comment:	In wfEscapeWikiText(), add "}}" to the list of things to escape, for callers that produce template invocations, as in r77128.
Modified paths:	/trunk/phase3/includes/GlobalFunctions.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/GlobalFunctions.php
—	—	@@ -1287,8 +1287,10 @@
1288	1288	*/
1289	1289	function wfEscapeWikiText( $text ) {
1290	1290	$text = str_replace(
1291		~~- array( '[', '\|', ']', '\'', 'ISBN ', 'RFC ', '://', "\n=", '{{' ), # }}~~
1292		~~- array( '[', '\|', ']', ''', 'ISBN ', 'RFC ', '://', "\n=", '{{' ),~~
	1291	+ array( '[', '\|', ']', '\'', 'ISBN ',
	1292	+ 'RFC ', '://', "\n=", '{{', '}}' ),
	1293	+ array( '[', '\|', ']', ''', 'ISBN ',
	1294	+ 'RFC ', '://', "\n=", '{{', '}}' ),
1293	1295	htmlspecialchars( $text )
1294	1296	);
1295	1297	return $text;

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r77128	* Avoid XSS via malicious RSS on wikis with $wgRawHtml = true. Mostly reverts...	tstarling	02:16, 23 November 2010

Status & tagging log

15:16, 3 December 2010 Catrope (talk | contribs) changed the status of r77129 [removed: new added: ok]