From: Brian Wolff <bawolff+wn@gmail.com>
Date: Fri, 6 Jul 2018 01:02:45 +0000 (+0000)
Subject: ChangesList: HTML escape the timestamp
X-Git-Tag: 1.34.0-rc.0~4580^2
X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22brouteur%22%2C%28%24id_rubrique%20?a=commitdiff_plain;h=01748b1cc1d4bfb5805273d74f4efccc4f5469e9;p=lhc%2Fweb%2Fwiklou.git

ChangesList: HTML escape the timestamp

Bug: T197002
Change-Id: Ib695674b9dc28a2f864f330e578cee6a1a7a4219
---

diff --git a/includes/changes/ChangesList.php b/includes/changes/ChangesList.php
index facf29ea84..ac8b3d48d9 100644
--- a/includes/changes/ChangesList.php
+++ b/includes/changes/ChangesList.php
@@ -531,10 +531,10 @@ class ChangesList extends ContextSource {
 	public function getTimestamp( $rc ) {
 		// @todo FIXME: Hard coded ". .". Is there a message for this? Should there be?
 		return $this->message['semicolon-separator'] . '<span class="mw-changeslist-date">' .
-			$this->getLanguage()->userTime(
+			htmlspecialchars( $this->getLanguage()->userTime(
 				$rc->mAttribs['rc_timestamp'],
 				$this->getUser()
-			) . '</span> <span class="mw-changeslist-separator">. .</span> ';
+			) ) . '</span> <span class="mw-changeslist-separator">. .</span> ';
 	}
 
 	/**