diff options
author | csteipp <csteipp@wikimedia.org> | 2012-06-01 10:00:45 -0700 |
---|---|---|
committer | Reedy <reedy@wikimedia.org> | 2012-06-13 18:50:06 +0100 |
commit | b0e92c09fc24af2d50cebfd570a9a93b298b1912 (patch) | |
tree | fe8fc60d80d3ebf775c65e96dee5565e2ec64b2f | |
parent | 6002b31a9e22c94d1f151f5cb04d088db8006a18 (diff) |
(bug 36938) Fix escaping uselang parameter1.17.5
Quote uselang with double quotes, and add htmlspecialchar escaping
to prevent xss. Update code comments in Language.php to make the
return of getCode more clear.
Change-Id: I6612795e85e0fb0b3a1d10e4352cb649d36abc3f
-rw-r--r-- | includes/SkinTemplate.php | 7 | ||||
-rw-r--r-- | languages/Language.php | 3 |
2 files changed, 8 insertions, 2 deletions
diff --git a/includes/SkinTemplate.php b/includes/SkinTemplate.php index 023afdd88a5d..57d820304632 100644 --- a/includes/SkinTemplate.php +++ b/includes/SkinTemplate.php @@ -324,8 +324,11 @@ class SkinTemplate extends Skin { $lang = $wgLang->getCode(); $dir = $wgLang->getDir(); if ( $lang !== $wgContLang->getCode() || $dir !== $wgContLang->getDir() ) { - $attrs = " lang='$lang' dir='$dir'"; - + $escUserlang = htmlspecialchars( $userlang ); + $escUserdir = htmlspecialchars( $userdir ); + // Attributes must be in double quotes because htmlspecialchars() doesn't + // escape single quotes + $attrs = " lang=\"$escUserlang\" dir=\"$escUserdir\""; $tpl->set( 'userlangattributes', $attrs ); // The content of SpecialPages should be presented in the diff --git a/languages/Language.php b/languages/Language.php index fee5aec3da1e..3e887d71c7c4 100644 --- a/languages/Language.php +++ b/languages/Language.php @@ -2788,6 +2788,9 @@ class Language { /** * Get the RFC 3066 code for this language object + * + * NOTE: The return value of this function is NOT HTML-safe and must be escaped with + * htmlspecialchars() or similar */ function getCode() { return $this->mCode; |