From: Aryeh Gregor Date: Mon, 24 Sep 2007 12:54:00 +0000 (+0000) Subject: Actually, Sanitizer::encodeAttribute() was broken, so my last fix didn't actually... X-Git-Tag: 1.31.0-rc.0~51313 X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22articles_versions%22%2C%22id_article=%24id_article%22%29%20.%20%22?a=commitdiff_plain;h=dbbc637a52ff2c9dd37bfbf3f1d132fa01271446;p=lhc%2Fweb%2Fwiklou.git Actually, Sanitizer::encodeAttribute() was broken, so my last fix didn't actually work, there was still HTML injection. Fixed it so it encodes single quotes too. The only other things in core that used it (or its friend safeEncodeAttribute) appear to be utility functions in Xml and Sanitizer::fixTagAttributes, all of which use double quotes. However, it's possible that the SemanticForms extension may be affected -- I didn't look closely, but it seems to safely use double-quotes. --- diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index f2dcbf94e1..c1c8daf37a 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -725,7 +725,7 @@ class Sanitizer { * @return HTML-encoded text fragment */ static function encodeAttribute( $text ) { - $encValue = htmlspecialchars( $text ); + $encValue = htmlspecialchars( $text, ENT_QUOTES ); // Whitespace is normalized during attribute decoding, // so if we've been passed non-spaces we must encode them