Merge "(bug 36938) XSS in uselang parameter"

diff --git a/includes/SkinTemplate.php b/includes/SkinTemplate.php
index b74f7c5..aee2e83 100644 (file)
--- a/includes/SkinTemplate.php
+++ b/includes/SkinTemplate.php
@@ -294,7 +294,11 @@ class SkinTemplate extends Skin {
                $tpl->set( 'specialpageattributes', '' ); # obsolete
 
                if ( $userlang !== $wgContLang->getHtmlCode() || $userdir !== $wgContLang->getDir() ) {
-                       $attrs = " lang='$userlang' dir='$userdir'";
+                       $escUserlang = htmlspecialchars( $userlang );
+                       $escUserdir = htmlspecialchars( $userdir );
+                       // Attributes must be in double quotes because htmlspecialchars() doesn't
+                       // escape single quotes
+                       $attrs = " lang=\"$escUserlang\" dir=\"$escUserdir\"";
                        $tpl->set( 'userlangattributes', $attrs );
                }
 

diff --git a/languages/Language.php b/languages/Language.php
index 5bb7762..85b9fab 100644 (file)
--- a/languages/Language.php
+++ b/languages/Language.php
@@ -3687,6 +3687,9 @@ class Language {
        /**
         * Get the RFC 3066 code for this language object
         *
+        * NOTE: The return value of this function is NOT HTML-safe and must be escaped with
+        * htmlspecialchars() or similar
+        *
         * @return string
         */
        public function getCode() {
@@ -3696,6 +3699,10 @@ class Language {
        /**
         * Get the code in Bcp47 format which we can use
         * inside of html lang="" tags.
+        *
+        * NOTE: The return value of this function is NOT HTML-safe and must be escaped with
+        * htmlspecialchars() or similar.
+        *
         * @since 1.19
         * @return string
         */