From: Brion Vibber <brion@users.mediawiki.org>
Date: Thu, 13 Sep 2007 19:06:54 +0000 (+0000)
Subject: Reverting r25082:
X-Git-Tag: 1.31.0-rc.0~51399
X-Git-Url: http://git.cyclocoop.org/%22.%24h.%22?a=commitdiff_plain;h=8cde3600cf32ec7ab67b0b0048f901e114f99599;p=lhc%2Fweb%2Fwiklou.git

Reverting r25082:
Do not restore security vulnerabilities to the codebase after a security release.
Especially don't MAKE THEM WORSE IN THE PROCESS.
---

diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php
index dec6cd37d5..b69ebafe09 100644
--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -158,6 +158,8 @@ See <a href='http://www.mediawiki.org/wiki/API'>complete documentation</a>, or
 	* This method also replaces any '<' with &lt;
 	*/
 	protected function formatHTML($text) {
+		// Escape everything first for full coverage
+		$text = htmlspecialchars($text);
 		
 		// encode all comments or tags as safe blue strings
 		$text = preg_replace('/\&lt;(!--.*?--|.*?)\&gt;/', '<span style="color:blue;">&lt;\1&gt;</span>', $text);