From: Fomafix <fomafix@googlemail.com>
Date: Wed, 13 Sep 2017 10:37:36 +0000 (+0200)
Subject: Skin.php: HTML escape message pipe-separator
X-Git-Tag: 1.31.0-rc.0~2123^2
X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22auteur_infos%22%2C%22id_auteur=%24connect_id_auteur%22%29%20.%20%22?a=commitdiff_plain;h=ce75f790bc5e7dd08818d3ad2dab685e0ef50de0;p=lhc%2Fweb%2Fwiklou.git

Skin.php: HTML escape message pipe-separator

This prevents HTML and JavaScript injections.

Change-Id: I6241dadf29e96aa1aa15324a3edc51538214345d
---

diff --git a/includes/skins/Skin.php b/includes/skins/Skin.php
index df7a9edede..eaee0d2572 100644
--- a/includes/skins/Skin.php
+++ b/includes/skins/Skin.php
@@ -1611,7 +1611,7 @@ abstract class Skin extends ContextSource {
 
 		$result .= implode(
 			'<span class="mw-editsection-divider">'
-				. wfMessage( 'pipe-separator' )->inLanguage( $lang )->text()
+				. wfMessage( 'pipe-separator' )->inLanguage( $lang )->escaped()
 				. '</span>',
 			$linksHtml
 		);