Fix XSS in filter parameter. Normal setups (with $wgEnableProfileInfo = false) are not affected.
<?php
if ( !$wgEnableProfileInfo ) {
- echo "disabled\n";
+ echo "<p>Disabled</p>\n";
+ echo "</body></html>";
exit( 1 );
}
if ( $_expand === false )
$_expand = $expand;
- $nfilter = $_filter ? $_filter : $filter;
- $nsort = $_sort ? $_sort : $sort;
+ $nfilter = $_filter ? htmlspecialchars( $_filter ) : htmlspecialchars( $filter );
+ $nsort = $_sort ? htmlspecialchars( $_sort ) : htmlspecialchars( $sort );
$exp = urlencode( implode( ',', array_keys( $_expand ) ) );
return "?filter=$nfilter&sort=$nsort&expand=$exp";
}