From 6c30fab96071a68907814e9ba3ce9e9429601c24 Mon Sep 17 00:00:00 2001
From: Fomafix <fomafix@googlemail.com>
Date: Mon, 3 Jul 2017 08:51:10 +0200
Subject: [PATCH] Use double quotes instead of singe quotes for HTML attributes

htmlspecialchars[1] encodes only double quotes not single quotes.
Therefor the HTML attribute must enclosed with double quotes for
correct output encoding.

[1] https://secure.php.net/manual/en/function.htmlspecialchars.php

Change-Id: I3fec5299585187ed70d62b9248007af34b0db85b
---
 includes/diff/DifferenceEngine.php     | 26 +++++++++++++-------------
 includes/logging/BlockLogFormatter.php |  2 +-
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/includes/diff/DifferenceEngine.php b/includes/diff/DifferenceEngine.php
index d4bee29940..7f9af604fd 100644
--- a/includes/diff/DifferenceEngine.php
+++ b/includes/diff/DifferenceEngine.php
@@ -1174,17 +1174,17 @@ class DifferenceEngine extends ContextSource {
 
 		if ( !$diff && !$otitle ) {
 			$header .= "
-			<tr style='vertical-align: top;' lang='{$userLang}'>
-			<td class='diff-ntitle'>{$ntitle}</td>
+			<tr style=\"vertical-align: top;\" lang=\"{$userLang}\">
+			<td class=\"diff-ntitle\">{$ntitle}</td>
 			</tr>";
 			$multiColspan = 1;
 		} else {
 			if ( $diff ) { // Safari/Chrome show broken output if cols not used
 				$header .= "
-				<col class='diff-marker' />
-				<col class='diff-content' />
-				<col class='diff-marker' />
-				<col class='diff-content' />";
+				<col class=\"diff-marker\" />
+				<col class=\"diff-content\" />
+				<col class=\"diff-marker\" />
+				<col class=\"diff-content\" />";
 				$colspan = 2;
 				$multiColspan = 4;
 			} else {
@@ -1193,20 +1193,20 @@ class DifferenceEngine extends ContextSource {
 			}
 			if ( $otitle || $ntitle ) {
 				$header .= "
-				<tr style='vertical-align: top;' lang='{$userLang}'>
-				<td colspan='$colspan' class='diff-otitle'>{$otitle}</td>
-				<td colspan='$colspan' class='diff-ntitle'>{$ntitle}</td>
+				<tr style=\"vertical-align: top;\" lang=\"{$userLang}\">
+				<td colspan=\"$colspan\" class=\"diff-otitle\">{$otitle}</td>
+				<td colspan=\"$colspan\" class=\"diff-ntitle\">{$ntitle}</td>
 				</tr>";
 			}
 		}
 
 		if ( $multi != '' ) {
-			$header .= "<tr><td colspan='{$multiColspan}' style='text-align: center;' " .
-				"class='diff-multi' lang='{$userLang}'>{$multi}</td></tr>";
+			$header .= "<tr><td colspan=\"{$multiColspan}\" style=\"text-align: center;\" " .
+				"class=\"diff-multi\" lang=\"{$userLang}\">{$multi}</td></tr>";
 		}
 		if ( $notice != '' ) {
-			$header .= "<tr><td colspan='{$multiColspan}' style='text-align: center;' " .
-				"lang='{$userLang}'>{$notice}</td></tr>";
+			$header .= "<tr><td colspan=\"{$multiColspan}\" style=\"text-align: center;\" " .
+				"lang=\"{$userLang}\">{$notice}</td></tr>";
 		}
 
 		return $header . $diff . "</table>";
diff --git a/includes/logging/BlockLogFormatter.php b/includes/logging/BlockLogFormatter.php
index a0bfb59345..1ed18cd0bb 100644
--- a/includes/logging/BlockLogFormatter.php
+++ b/includes/logging/BlockLogFormatter.php
@@ -60,7 +60,7 @@ class BlockLogFormatter extends LogFormatter {
 			// is shown on the correct side of the tooltip text.
 			$durationTooltip = '&lrm;' . htmlspecialchars( $params[4] );
 			$params[4] = Message::rawParam(
-				"<span class='blockExpiry' title='$durationTooltip'>" .
+				"<span class=\"blockExpiry\" title=\"$durationTooltip\">" .
 				$this->context->getLanguage()->translateBlockExpiry(
 					$params[4],
 					$this->context->getUser(),
-- 
2.20.1