From c0453dd391c570eb1a52eeaa817b9979f2618297 Mon Sep 17 00:00:00 2001 From: csteipp Date: Tue, 17 Mar 2015 15:20:56 -0700 Subject: [PATCH] SECURITY: Escape > in Html::expandAttributes Escape > characters in attributes, so we don't confuse post-processing, like LanguageConverter. Bug: T73394 Change-Id: I8d74e6a0e873cc54dec9557e2d8f7409e65f425f --- includes/Html.php | 7 +++++-- tests/parser/parserTests.txt | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/includes/Html.php b/includes/Html.php index 8799225..f429fb2 100644 --- a/includes/Html.php +++ b/includes/Html.php @@ -603,17 +603,20 @@ class Html { } else { // Apparently we need to entity-encode \n, \r, \t, although the // spec doesn't mention that. Since we're doing strtr() anyway, - // and we don't need <> escaped here, we may as well not call - // htmlspecialchars(). + // we may as well not call htmlspecialchars(). // @todo FIXME: Verify that we actually need to // escape \n\r\t here, and explain why, exactly. # // We could call Sanitizer::encodeAttribute() for this, but we // don't because we're stubborn and like our marginal savings on // byte size from not having to encode unnecessary quotes. + // The only difference between this transform and the one by + // Sanitizer::encodeAttribute() is '<' is only encoded here if + // $wgWellFormedXml is set, and ' is not encoded. $map = array( '&' => '&', '"' => '"', + '>' => '>', "\n" => ' ', "\r" => ' ', "\t" => ' ' diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt index 966b666..d6b085d 100644 --- a/tests/parser/parserTests.txt +++ b/tests/parser/parserTests.txt @@ -13669,7 +13669,7 @@ section 5 -

text > text[edit]

+

text > text[edit]

section 1

text < text[edit]

@@ -19294,7 +19294,7 @@ __TOC__

Hello[edit]

-

b">Evilbye[edit]

+

b">Evilbye[edit]

!! end -- 1.8.4.5