From 71a96739a9fd89cfbd77093132a7e8d564482733 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Mon, 22 Jun 2015 13:04:14 -0700
Subject: [PATCH] SECURITY: Fix multiple xss

Bug: T103391
---
 includes/SF_PageSection.php |  8 +++-----
 specials/SF_FormEdit.php    | 10 +++++++++-
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/includes/SF_PageSection.php b/includes/SF_PageSection.php
index 0e02e72..c610c17 100644
--- a/includes/SF_PageSection.php
+++ b/includes/SF_PageSection.php
@@ -60,12 +60,10 @@ class SFPageSection {
 		$section_level = $this->mSectionLevel;
 
 		$section_str = wfMessage( 'sf_createform_pagesection' )->text() . " '" . $section_name . "'";
-		$text = <<<END
-	<input type="hidden" name="section_$section_count" value="$section_name">
-	<div class="sectionForm">
-	<h2>$section_str</h2>
+		$text = Html::hidden( "section_$section_count", $section_name );
+		$text .= '<div class="sectionForm">';
+		$text .= Html::element( 'h2', array(), $section_str );
 
-END;
 		foreach ( $wgRequest->getValues() as $key => $value ) {
 			if ( ( $pos = strpos( $key, '_section_'.$section_count ) ) != false ) {
 				$paramName = substr( $key, 0, $pos );
diff --git a/specials/SF_FormEdit.php b/specials/SF_FormEdit.php
index d387f3b..5c5a9e0 100644
--- a/specials/SF_FormEdit.php
+++ b/specials/SF_FormEdit.php
@@ -52,7 +52,15 @@ class SFFormEdit extends UnlistedSpecialPage {
 			if ( $i++ > 0 ) {
 				$text .= ', ';
 			}
-			$text .= "<a href=\"$fe_url/$alt_form/$target_name\">" . str_replace( '_', ' ', $alt_form ) . '</a>';
+			$text .= Html::element(
+				'a',
+				array(
+					'href' => $fe_url . '/'
+						. rawurlencode( $alt_form ) . '/'
+						. rawurlencode( $target_name )
+				),
+				str_replace( '_', ' ', $alt_form )
+			);
 		}
 		return $text;
 	}
-- 
1.8.4.5