From: Aryeh Gregor Date: Mon, 18 Aug 2008 18:15:47 +0000 (+0000) Subject: Re-committing 37663 for the new release, per old Wikitech-l discussion. X-Git-Tag: 1.31.0-rc.0~45823 X-Git-Url: http://git.cyclocoop.org/%24action?a=commitdiff_plain;h=c7a50892d6afe7f82b3655b21eeb4b292c363ae1;p=lhc%2Fweb%2Fwiklou.git Re-committing 37663 for the new release, per old Wikitech-l discussion. * (bug 13815) In the comment for page moves, use the colon-separator message instead of a hardcoded colon. * So that this works properly, don't escape HTML entities in edit summaries. I don't see any good reason for them to be escaped there. Of course, this may result in old edit summaries displaying slightly differently if for some reason they included an entity, but in that case there's at least a 50% chance that they intended it to not be escaped in the first place. --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 6ef3bd28ed..20784439f0 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -94,6 +94,9 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN background colours based on classes "odd" and "even". * (bug 14187) In Special:Userlogin the buttons "Log in" and "E-mail new password" now have classes "mw-loginbutton" and "mw-mailmypasswordbutton". +* HTML entities like   now work (are not escaped) in edit summaries. +* (bug 13815) In the comment for page moves, use the colon-separator message + instead of a hardcoded colon. === Bug fixes in 1.14 === diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index d70edbce27..dabe06d53b 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -676,9 +676,7 @@ function wfMsgExt( $key, $options ) { if ( in_array('escape', $options) ) { $string = htmlspecialchars ( $string ); } elseif ( in_array( 'escapenoentities', $options ) ) { - $string = htmlspecialchars( $string ); - $string = str_replace( '&', '&', $string ); - $string = Sanitizer::normalizeCharReferences( $string ); + $string = Sanitizer::escapeHtmlAllowEntities( $string ); } if( in_array('replaceafter', $options) ) { diff --git a/includes/Linker.php b/includes/Linker.php index 3485889992..db912e3866 100644 --- a/includes/Linker.php +++ b/includes/Linker.php @@ -1160,7 +1160,8 @@ class Linker { # Sanitize text a bit: $comment = str_replace( "\n", " ", $comment ); - $comment = htmlspecialchars( $comment ); + # Allow HTML entities (for bug 13815) + $comment = Sanitizer::escapeHtmlAllowEntities( $comment ); # Render autocomments and make links: $comment = $this->formatAutoComments( $comment, $title, $local ); diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index b01912b6c1..13cde258d9 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -821,6 +821,22 @@ class Sanitizer { $class ), '_'); } + /** + * Given HTML input, escape with htmlspecialchars but un-escape entites. + * This allows (generally harmless) entities like   to survive. + * + * @param string $html String to escape + * @return string Escaped input + */ + static function escapeHtmlAllowEntities( $html ) { + # It seems wise to escape ' as well as ", as a matter of course. Can't + # hurt. + $html = htmlspecialchars( $html, ENT_QUOTES ); + $html = str_replace( '&', '&', $html ); + $html = Sanitizer::normalizeCharReferences( $html ); + return $html; + } + /** * Regex replace callback for armoring links against further processing. * @param array $matches diff --git a/includes/Title.php b/includes/Title.php index ee5c658614..0f1a18939b 100644 --- a/includes/Title.php +++ b/includes/Title.php @@ -2758,7 +2758,9 @@ class Title { $fname = 'MovePageForm::moveToNewTitle'; $comment = wfMsgForContent( '1movedto2', $this->getPrefixedText(), $nt->getPrefixedText() ); if ( $reason ) { - $comment .= ": $reason"; + $comment .= wfMsgExt( 'colon-separator', + array( 'escapenoentities', 'content' ) ); + $comment .= $reason; } $newid = $nt->getArticleID();