commit b26cc5d0f678c93215389fa5458a957034820bb1 Author: Brian Wolff Date: Sun Sep 28 16:16:39 2014 -0300 Make < and > be escaped in attribute values in Html::expandAttributes This makes the code just use Sanitizer::encodeAttribute, which in addition to that, also escapes single quote marks. Change-Id: I4895d2b489d62e27cf033835e3b49f069fbd7b48 diff --git a/includes/Html.php b/includes/Html.php index 1e16e39..be009f1 100644 --- a/includes/Html.php +++ b/includes/Html.php @@ -544,30 +544,10 @@ class Html { $ret .= " $key=\"\""; } } else { - // Apparently we need to entity-encode \n, \r, \t, although the - // spec doesn't mention that. Since we're doing strtr() anyway, - // and we don't need <> escaped here, we may as well not call - // htmlspecialchars(). - // @todo FIXME: Verify that we actually need to - // escape \n\r\t here, and explain why, exactly. - # - // We could call Sanitizer::encodeAttribute() for this, but we - // don't because we're stubborn and like our marginal savings on - // byte size from not having to encode unnecessary quotes. - $map = array( - '&' => '&', - '"' => '"', - "\n" => ' ', - "\r" => ' ', - "\t" => ' ' - ); - if ( $wgWellFormedXml ) { - // This is allowed per spec: - // But reportedly it breaks some XML tools? - // @todo FIXME: Is this really true? - $map['<'] = '<'; - } - $ret .= " $key=$quote" . strtr( $value, $map ) . $quote; + // Note: It's important to encode < and >, even if its not + // required in this context, due to how language converter + // works. + $ret .= " $key=$quote" . Sanitizer::encodeAttribute( $value ) . $quote; } } return $ret;