From: Brion Vibber Date: Thu, 28 Apr 2005 23:06:47 +0000 (+0000) Subject: Restore htmlspecialchars() on the editToken value before outputting to HTML. X-Git-Tag: 1.5.0alpha1~80 X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22auteur_infos%22%2C%20%22id_auteur=%24id%22%29%20.%20%22?a=commitdiff_plain;h=af70c2893807e255b0af75f0191c92484c901719;p=lhc%2Fweb%2Fwiklou.git Restore htmlspecialchars() on the editToken value before outputting to HTML. While at the moment the editToken() value is safe for literal inclusion is HTML output, it's a black-box value to the rest of the code and such safety is not guaranteed. Escaping text values being placed in HTML/XML attributes or text elements is a regular part of the output process and it's a bad habit to leave it out on text values that are produced elsewhere; they can and do change (such as all those localized messages which are now user-editable...) --- diff --git a/includes/EditPage.php b/includes/EditPage.php index bbe980ab59..7f042cafec 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -692,7 +692,7 @@ END * we won't save the page, or render user JavaScript and * CSS previews. */ - $token = $wgUser->editToken(); + $token = htmlspecialchars( $wgUser->editToken() ); $wgOut->addHTML( " \n" ); }