From 43f0ff44697a6c77800030f53ffeee67b5b71e50 Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@users.mediawiki.org>
Date: Wed, 1 Apr 2009 08:50:57 +0000
Subject: [PATCH] In OutputPage::addScriptFile(): escape attributes for HTML.
 No XSS, just good practice.

---
 includes/OutputPage.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index ed9a43d3f5..39a248feb1 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -103,7 +103,15 @@ class OutputPage {
 		} else {
 			$path =  "{$wgStylePath}/common/{$file}";
 		}
-		$this->addScript( "<script type=\"{$wgJsMimeType}\" src=\"$path?$wgStyleVersion\"></script>\n" );
+		$this->addScript( 
+			Xml::element( 'script', 
+				array(
+					'type' => $wgJsMimeType,
+					'src' => "$path?$wgStyleVersion",
+				),
+				'', false
+			)
+		);	
 	}
 	
 	/**
-- 
2.20.1