From: umherirrender <umherirrender_de.wp@web.de>
Date: Tue, 27 Jan 2015 20:47:55 +0000 (+0100)
Subject: Fully escape return value from FileDuplicateSearchPage::formatResult
X-Git-Tag: 1.31.0-rc.0~12562^2
X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22brouteur%22%2C%28%24id_rubrique%20?a=commitdiff_plain;h=a0653f7dd059d245c82632a068fdcaa98ee3d04c;p=lhc%2Fweb%2Fwiklou.git

Fully escape return value from FileDuplicateSearchPage::formatResult

Also avoids unneeded recreation of a title object

Bug: T85864
Change-Id: I0298887e2ee5da9c1694393fb06cfa5eed0e46d3
---

diff --git a/includes/specials/SpecialFileDuplicateSearch.php b/includes/specials/SpecialFileDuplicateSearch.php
index 0ebbbc90b2..607b4f6f12 100644
--- a/includes/specials/SpecialFileDuplicateSearch.php
+++ b/includes/specials/SpecialFileDuplicateSearch.php
@@ -196,7 +196,7 @@ class FileDuplicateSearchPage extends QueryPage {
 	 *
 	 * @param Skin $skin
 	 * @param File $result
-	 * @return string
+	 * @return string HTML
 	 */
 	function formatResult( $skin, $result ) {
 		global $wgContLang;
@@ -204,8 +204,8 @@ class FileDuplicateSearchPage extends QueryPage {
 		$nt = $result->getTitle();
 		$text = $wgContLang->convert( $nt->getText() );
 		$plink = Linker::link(
-			Title::newFromText( $nt->getPrefixedText() ),
-			$text
+			$nt,
+			htmlspecialchars( $text )
 		);
 
 		$userText = $result->getUser( 'text' );
@@ -220,7 +220,8 @@ class FileDuplicateSearchPage extends QueryPage {
 			$user = htmlspecialchars( $userText );
 		}
 
-		$time = $this->getLanguage()->userTimeAndDate( $result->getTimestamp(), $this->getUser() );
+		$time = htmlspecialchars( $this->getLanguage()->userTimeAndDate(
+			$result->getTimestamp(), $this->getUser() ) );
 
 		return "$plink . . $user . . $time";
 	}