From: River Tarnell <kateturner@users.mediawiki.org>
Date: Thu, 14 Oct 2004 08:58:47 +0000 (+0000)
Subject: fix xss attack
X-Git-Tag: 1.5.0alpha1~1540
X-Git-Url: http://git.cyclocoop.org/%24action?a=commitdiff_plain;h=217357f46e226deb47d36cfa469e3185c7c63f9d;p=lhc%2Fweb%2Fwiklou.git

fix xss attack
---

diff --git a/includes/Credits.php b/includes/Credits.php
index 822805254e..ffbeeff57a 100644
--- a/includes/Credits.php
+++ b/includes/Credits.php
@@ -74,8 +74,8 @@ function getAuthorCredits($article) {
 	$author_credit = wfMsg('anonymous');
     } else {
 	
-	$real_name = User::whoIsReal($last_author);
-	$user_name = User::whoIs($last_author);
+	$real_name = htmlspecialchars( User::whoIsReal($last_author) );
+	$user_name = htmlspecialchars( User::whoIs($last_author) );
 	
 	if (!empty($real_name)) {
 	    $author_credit = creditLink($user_name, $real_name);
@@ -125,9 +125,9 @@ function getContributorCredits($article, $cnt, $showIfMax) {
     foreach ($contributors as $user_parts) {
 	if ($user_parts[0] != 0) {
 	    if ($wgAllowRealName && !empty($user_parts[2])) {
-		$real_names[] = creditLink($user_parts[1], $user_parts[2]);
+		$real_names[] = htmlspecialchars( creditLink($user_parts[1], $user_parts[2]) );
 	    } else {
-		$user_names[] = creditLink($user_parts[1]);
+		$user_names[] = htmlspecialchars( creditLink($user_parts[1]) );
 	    }
 	} else {
 	    $anon = wfMsg('anonymous');