From ebf718f48759d1c745b509fe81e6bdcb7ce9951e Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Sun Sep 28 16:16:39 2014 -0300
Subject: [PATCH] SECURITY: Make < and > be escaped in attribute values in Html::expandAttributes

This makes the code just use Sanitizer::encodeAttribute, which in
addition to that, also escapes single quote marks.

Change-Id: I4895d2b489d62e27cf033835e3b49f069fbd7b48
---
 includes/Html.php | 29 ++++-------------------------
 1 file changed, 4 insertions(+), 25 deletions(-)

diff --git a/includes/Html.php b/includes/Html.php
index 2187b5b..14a490c 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -523,31 +523,10 @@ class Html {
 					$ret .= " $key=\"$key\"";
 				}
 			} else {
-				# Apparently we need to entity-encode \n, \r, \t, although the
-				# spec doesn't mention that.  Since we're doing strtr() anyway,
-				# and we don't need <> escaped here, we may as well not call
-				# htmlspecialchars().
-				# @todo FIXME: Verify that we actually need to
-				# escape \n\r\t here, and explain why, exactly.
-				#
-				# We could call Sanitizer::encodeAttribute() for this, but we
-				# don't because we're stubborn and like our marginal savings on
-				# byte size from not having to encode unnecessary quotes.
-				$map = array(
-					'&' => '&amp;',
-					'"' => '&quot;',
-					"\n" => '&#10;',
-					"\r" => '&#13;',
-					"\t" => '&#9;'
-				);
-				if ( $wgWellFormedXml ) {
-					# This is allowed per spec: <http://www.w3.org/TR/xml/#NT-AttValue>
-					# But reportedly it breaks some XML tools?
-					# @todo FIXME: Is this really true?
-					$map['<'] = '&lt;';
-				}
-				
-				$ret .= " $key=$quote" . strtr( $value, $map ) . $quote;
+				// Note: It's important to encode < and >, even if its not
+				// required in this context, due to how language converter
+				// works.
+				$ret .= " $key=$quote" . Sanitizer::encodeAttribute( $value ) . $quote;
 			}
 		}
 		return $ret;
-- 
1.9.2.msysgit.0