From 7e7079374f6a678aaa94591efc1f55e40eae28bb Mon Sep 17 00:00:00 2001 From: Siebrand Mazeland Date: Sun, 26 Feb 2012 12:07:21 +0000 Subject: [PATCH] Follow-up r112424: Per IAlex on IRC: Use escape() instead of plain() for improved security. --- includes/Linker.php | 8 ++++---- includes/Pager.php | 2 +- includes/specials/SpecialContributions.php | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/includes/Linker.php b/includes/Linker.php index 03811580ae..fb23d7b6be 100644 --- a/includes/Linker.php +++ b/includes/Linker.php @@ -1399,7 +1399,7 @@ class Linker { return ''; } else { $formatted = self::formatComment( $comment, $title, $local ); - $formatted = wfMessage( 'parentheses' )->rawParams( $formatted )->plain(); + $formatted = wfMessage( 'parentheses' )->rawParams( $formatted )->escape(); return " $formatted"; } } @@ -1441,7 +1441,7 @@ class Linker { } else { global $wgLang; $stxt = wfMsgExt( 'nbytes', 'parsemag', $wgLang->formatNum( $size ) ); - $stxt = wfMessage( 'parentheses' )->rawParams( $stxt )->plain(); + $stxt = wfMessage( 'parentheses' )->rawParams( $stxt )->escape(); } $stxt = htmlspecialchars( $stxt ); return "$stxt"; @@ -1870,7 +1870,7 @@ class Linker { $html = $delete ? wfMsgHtml( 'rev-delundel' ) : wfMsgHtml( 'rev-showdeleted' ); $tag = $restricted ? 'strong' : 'span'; $link = self::link( $sp, $html, array(), $query, array( 'known', 'noclasses' ) ); - return Xml::tags( $tag, array( 'class' => 'mw-revdelundel-link' ), wfMessage( 'parentheses' )->rawParams( $link )->plain() ); + return Xml::tags( $tag, array( 'class' => 'mw-revdelundel-link' ), wfMessage( 'parentheses' )->rawParams( $link )->escape() ); } /** @@ -1883,7 +1883,7 @@ class Linker { */ public static function revDeleteLinkDisabled( $delete = true ) { $html = $delete ? wfMsgHtml( 'rev-delundel' ) : wfMsgHtml( 'rev-showdeleted' ); - return Xml::tags( 'span', array( 'class' => 'mw-revdelundel-link' ), wfMessage( 'parentheses' )->rawParams( $html )->plain() ); + return Xml::tags( 'span', array( 'class' => 'mw-revdelundel-link' ), wfMessage( 'parentheses' )->rawParams( $html )->escape() ); } /* Deprecated methods */ diff --git a/includes/Pager.php b/includes/Pager.php index db2978a7e0..2673205229 100644 --- a/includes/Pager.php +++ b/includes/Pager.php @@ -771,7 +771,7 @@ abstract class ReverseChronologicalPager extends IndexPager { $limits = $this->getLanguage()->pipeList( $limitLinks ); $firstLastLinks = wfMessage( 'parentheses' )->rawParams( "{$pagingLinks['first']}" . wfMsgExt( 'pipe-separator' , 'escapenoentities' ) . - "{$pagingLinks['last']}" )->plain(); + "{$pagingLinks['last']}" )->escape(); $this->mNavigationBar = $firstLastLinks . ' ' . wfMsgHTML( diff --git a/includes/specials/SpecialContributions.php b/includes/specials/SpecialContributions.php index 6ea31396e9..7d55ce2c1a 100644 --- a/includes/specials/SpecialContributions.php +++ b/includes/specials/SpecialContributions.php @@ -254,7 +254,7 @@ class SpecialContributions extends SpecialPage { // @todo Should this be removed at some point? $oldMsg = $this->msg( 'contribsub' ); if ( $oldMsg->exists() ) { - $linksWithParentheses = $this->msg( 'parenteses' )->rawParams( $links )->plain(); + $linksWithParentheses = $this->msg( 'parenteses' )->rawParams( $links )->escape(); return $oldMsg->rawParams( "$user $linksWithParentheses" ); } else { return $this->msg( 'contribsub2' )->rawParams( $user, $links ); @@ -839,7 +839,7 @@ class ContribsPager extends ReverseChronologicalPager { $del .= ' '; } - $diffHistLinks = $this->msg( 'parentheses' )->rawParams( $difftext . $this->messages['pipe-separator'] . $histlink )->plain(); + $diffHistLinks = $this->msg( 'parentheses' )->rawParams( $difftext . $this->messages['pipe-separator'] . $histlink )->escape(); $ret = "{$del}{$d} {$diffHistLinks}{$chardiff}{$nflag}{$mflag} {$link}{$userlink} {$comment} {$topmarktext}"; # Denote if username is redacted for this edit -- 2.20.1