The alignment parameter is totally safe (See the very convoluted
code in the parser) but its best practise to escape things right
before the output. Additionally this protects in case any extension
uses a hook to do anything silly.
Change-Id: Ie19b106409d55c704b69280e2d0e2bb29068bd2e
$s = $thumb->toHtml( $params );
}
if ( $frameParams['align'] != '' ) {
- $s = "<div class=\"float{$frameParams['align']}\">{$s}</div>";
+ $s = Html::rawElement(
+ 'div',
+ [ 'class' => 'float' . $frameParams['align'] ],
+ $s
+ );
}
return str_replace( "\n", ' ', $prefix . $s . $postfix );
}