From: Brion Vibber Date: Mon, 10 Sep 2007 21:01:40 +0000 (+0000) Subject: * (bug 11158) Fix escaping in API HTML-formatted JSON X-Git-Tag: 1.31.0-rc.0~51439 X-Git-Url: http://git.cyclocoop.org/%22.%24info%5B?a=commitdiff_plain;h=13460975663840eabf722a8a227af20f3a014d4f;p=lhc%2Fweb%2Fwiklou.git * (bug 11158) Fix escaping in API HTML-formatted JSON --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 04836238f4..9f76ecdcc7 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -44,6 +44,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN editinterface to a new permission key editusercssjs. * (bug 11266) Set fallback language for Fulfulde (ff) to French * (bug 11179) Include image version deletion comment in public log +* (bug 11158) Fix escaping in API HTML-formatted JSON === API changes in 1.12 === diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php index 209abd23d4..b69ebafe09 100644 --- a/includes/api/ApiFormatBase.php +++ b/includes/api/ApiFormatBase.php @@ -158,8 +158,11 @@ See complete documentation, or * This method also replaces any '<' with < */ protected function formatHTML($text) { - // encode all tags as safe blue strings - $text = ereg_replace('\<([^>]+)\>', '<\1>', $text); + // Escape everything first for full coverage + $text = htmlspecialchars($text); + + // encode all comments or tags as safe blue strings + $text = preg_replace('/\<(!--.*?--|.*?)\>/', '<\1>', $text); // identify URLs $protos = "http|https|ftp|gopher"; $text = ereg_replace("($protos)://[^ \\'\"()<\n]+", '\\0', $text);