Backported r53159 to 1.14 and 1.151.14.1

author: Tim Starling <tstarling@users.mediawiki.org> 2009-07-13 17:13:27 +0000
committer: Tim Starling <tstarling@users.mediawiki.org> 2009-07-13 17:13:27 +0000
commit: f19be260ba0a4ac5f37512b80840002eec62dede (patch)
tree: 328a79670426454b2eb28c4416e754fe24978eac
parent: ad86dc9da01257ee04aaabe29f18d2f03ed8f1c6 (diff)
2 files changed, 2 insertions, 1 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 548ae895a598..0253960a6411 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -33,6 +33,7 @@ fixed in 1.15.0.
 * (bug 17832) Fixed action=delete returning 'unknownerror' instead of 
   'permissiondenied' when the user is blocked
 * Fixed performance regression when accessing deleted (archived) files
+* (bug 19693) Fixed cross-site scripting vulnerability in Special:Block
 
 == Changes since 1.14.0rc1 ==
 
diff --git a/includes/specials/SpecialBlockip.php b/includes/specials/SpecialBlockip.php
index 4d82997fdcd8..6b836d55c779 100644
--- a/includes/specials/SpecialBlockip.php
+++ b/includes/specials/SpecialBlockip.php
@@ -525,7 +525,7 @@ class IPBlockForm {
 	 */
 	private function getContribsLink( $skin ) {
 		$contribsPage = SpecialPage::getTitleFor( 'Contributions', $this->BlockAddress );
-		return $skin->link( $contribsPage, wfMsgHtml( 'ipb-blocklist-contribs', $this->BlockAddress ) );
+		return $skin->link( $contribsPage, wfMsgExt( 'ipb-blocklist-contribs', 'escape', $this->BlockAddress ) );
 	}
 
 	/**
author	Tim Starling <tstarling@users.mediawiki.org>	2009-07-13 17:13:27 +0000
committer	Tim Starling <tstarling@users.mediawiki.org>	2009-07-13 17:13:27 +0000
commit	f19be260ba0a4ac5f37512b80840002eec62dede (patch)
tree	328a79670426454b2eb28c4416e754fe24978eac
parent	ad86dc9da01257ee04aaabe29f18d2f03ed8f1c6 (diff)