From: Tim Starling <tstarling@users.mediawiki.org>
Date: Mon, 13 Jul 2009 15:36:41 +0000 (+0000)
Subject: Fix dodgy uses of wfMsgHtml() and related HTML escaping
X-Git-Tag: 1.31.0-rc.0~40978
X-Git-Url: http://git.cyclocoop.org/%22.%24info%5B?a=commitdiff_plain;h=c35dba3c041aff7f836b225ad966cd70114fdcae;p=lhc%2Fweb%2Fwiklou.git

Fix dodgy uses of wfMsgHtml() and related HTML escaping
---

diff --git a/includes/LogPage.php b/includes/LogPage.php
index f6d29aaf75..be4a1c0609 100644
--- a/includes/LogPage.php
+++ b/includes/LogPage.php
@@ -214,11 +214,12 @@ class LogPage {
 							self::formatBlockFlags( $params[2], is_null( $skin ) ) : '';
 					// Page protections
 					} else if ( $type == 'protect' && count($params) == 3 ) {
-						$details .= " {$params[1]}"; // restrictions and expiries
 						if( $params[2] ) {
 							if ( $skin ) {
+								$details .= htmlspecialchars( " {$params[1]}" ); // restrictions and expiries
 								$details .= ' ['.wfMsg('protect-summary-cascade').']';
 							} else {
+								$details .= " {$params[1]}";
 								$details .= ' ['.wfMsgForContent('protect-summary-cascade').']';
 							}
 						}
@@ -245,7 +246,7 @@ class LogPage {
 						$details .= ': '.RevisionDeleter::getLogMessage( $count, $nfield, $ofield, true );
 					}
 					if ( $skin ) {
-						$rv = wfMsgHtml( $wgLogActions[$key], $params ) . $details;
+						$rv = htmlspecialchars( wfMsg( $wgLogActions[$key], $params ) ) . $details;
 					} else {
 						$rv = wfMsgExt( $wgLogActions[$key], array( 'parsemag', 'escape', 'replaceafter', 'content' ), $params ) . $details;
 					}
diff --git a/includes/specials/SpecialContributions.php b/includes/specials/SpecialContributions.php
index 8956535a2e..c21329368c 100644
--- a/includes/specials/SpecialContributions.php
+++ b/includes/specials/SpecialContributions.php
@@ -144,7 +144,7 @@ class SpecialContributions extends SpecialPage {
 		$sk = $wgUser->getSkin();
 
 		if( 0 == $id ) {
-			$user = $nt->getText();
+			$user = htmlspecialchars( $nt->getText() );
 		} else {
 			$user = $sk->link( $nt, htmlspecialchars( $nt->getText() ) );
 		}
diff --git a/includes/specials/SpecialDeletedContributions.php b/includes/specials/SpecialDeletedContributions.php
index c57b2d5bb5..79bd134b89 100644
--- a/includes/specials/SpecialDeletedContributions.php
+++ b/includes/specials/SpecialDeletedContributions.php
@@ -324,7 +324,7 @@ class DeletedContributionsPage extends SpecialPage {
 		$sk = $wgUser->getSkin();
 
 		if ( 0 == $id ) {
-			$user = $nt->getText();
+			$user = htmlspecialchars( $nt->getText() );
 		} else {
 			$user = $sk->link( $nt, htmlspecialchars( $nt->getText() ) );
 		}
diff --git a/includes/specials/SpecialUserrights.php b/includes/specials/SpecialUserrights.php
index 22929b17f3..c61c6d9e49 100644
--- a/includes/specials/SpecialUserrights.php
+++ b/includes/specials/SpecialUserrights.php
@@ -498,9 +498,13 @@ class UserrightsPage extends SpecialPage {
 			$ret .= "\t<td style='vertical-align:top;'>\n";
 			foreach( $column as $group => $checkbox ) {
 				$attr = $checkbox['disabled'] ? array( 'disabled' => 'disabled' ) : array();
-				$text = $checkbox['irreversible']
-					? wfMsgHtml( 'userrights-irreversible-marker', User::getGroupMember( $group ) )
-					: User::getGroupMember( $group );
+
+				if ( $checkbox['irreversible'] ) {
+					$text = htmlspecialchars( wfMsg( 'userrights-irreversible-marker', 
+						User::getGroupMember( $group ) ) );
+				} else {
+					$text = htmlspecialchars( User::getGroupMember( $group ) );
+				}
 				$checkboxHtml = Xml::checkLabel( $text, "wpGroup-" . $group,
 					"wpGroup-" . $group, $checkbox['set'], $attr );
 				$ret .= "\t\t" . ( $checkbox['disabled']