From d7b5482790f74bb6e2661280eda428d1fafe7ebb Mon Sep 17 00:00:00 2001 From: csteipp Date: Thu, 19 Feb 2015 15:05:40 -0800 Subject: [PATCH] SECURITY: Escape > in Html::expandAttributes Escape > characters in attributes, so we don't confuse post-processing, like LanguageConverter. Bug: T73394 Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72 --- includes/Html.php | 7 +++++-- tests/parser/parserTests.txt | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/includes/Html.php b/includes/Html.php index 93a1a04..cdfb0f1 100644 --- a/includes/Html.php +++ b/includes/Html.php @@ -608,17 +608,20 @@ class Html { } else { // Apparently we need to entity-encode \n, \r, \t, although the // spec doesn't mention that. Since we're doing strtr() anyway, - // and we don't need <> escaped here, we may as well not call - // htmlspecialchars(). + // we may as well not call htmlspecialchars(). // @todo FIXME: Verify that we actually need to // escape \n\r\t here, and explain why, exactly. # // We could call Sanitizer::encodeAttribute() for this, but we // don't because we're stubborn and like our marginal savings on // byte size from not having to encode unnecessary quotes. + // The only difference between this transform and the one by + // Sanitizer::encodeAttribute() is '<' is only encoded here if + // $wgWellFormedXml is set, and ' is not encoded. $map = array( '&' => '&', '"' => '"', + '>' => '>', "\n" => ' ', "\r" => ' ', "\t" => ' ' diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt index cc66280..fb223a8 100644 --- a/tests/parser/parserTests.txt +++ b/tests/parser/parserTests.txt @@ -13576,7 +13576,7 @@ section 5 -

text > text[edit]

+

text > text[edit]

section 1

text < text[edit]

@@ -19201,7 +19201,7 @@ __TOC__

Hello[edit]

-

b">Evilbye[edit]

+

b">Evilbye[edit]

!! end -- 1.8.4.5