r82232 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r82231‎ \| r82232 \| r82233 >
Date:	11:28, 16 February 2011
Author:	catrope
Status:	resolved (Comments)
Tags:
Comment:	(bug 26603) returnto parameter in login link not escaped when viewed on Special:Userlogout
Modified paths:	/trunk/phase3/includes/SkinTemplate.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/SkinTemplate.php
—	—	@@ -570,7 +570,7 @@
571	571	$personal_urls = array();
572	572	$page = $wgRequest->getVal( 'returnto', $this->thisurl );
573	573	$query = $wgRequest->getVal( 'returntoquery', $this->thisquery );
574		~~- $returnto = "returnto=$page";~~
	574	+ $returnto = wfArrayToCGI( array( 'returnto' => $page ) );
575	575	if( $this->thisquery != '' ) {
576	576	$returnto .= "&returntoquery=$query";
577	577	}

Follow-up revisions

Revision	Commit summary	Author	Date
r86697	(bug 26603) Followup r82232: fix double-escaping of returnto and returntoquer...	catrope	10:47, 22 April 2011

Comments

#Comment by Liangent (talk | contribs) 05:45, 9 March 2011

See my comment in bug 26603.

#Comment by Liangent (talk | contribs) 05:49, 9 March 2011

In function outputPage, there is $this->thisurl = $this->mTitle->getPrefixedURL();, so $this->thisurl is already in an escaped form. Escaping it again with wfArrayToCGI causes it to be double-escaped.

#Comment by Liangent (talk | contribs) 11:51, 9 March 2011

So we should write use $wgRequest->getVal without fallback, and concatenate "returnto=" and (encoded getVal results OR plain $this->thisurl).

Status & tagging log

00:38, 15 June 2011 Brion VIBBER (talk | contribs) changed the status of r82232 [removed: new added: resolved]
10:47, 22 April 2011 Catrope (talk | contribs) changed the status of r82232 [removed: fixme added: new]
05:45, 9 March 2011 Liangent (talk | contribs) changed the status of r82232 [removed: new added: fixme]