From b9868757737554d6648c9899b8bc77db33ebbacf Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@users.mediawiki.org>
Date: Wed, 1 Apr 2009 08:51:54 +0000
Subject: [PATCH] * Escape attribute values * Document getRowClass()

---
 includes/Pager.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/includes/Pager.php b/includes/Pager.php
index e3ba4978ff..1078a74695 100644
--- a/includes/Pager.php
+++ b/includes/Pager.php
@@ -746,7 +746,7 @@ abstract class TablePager extends IndexPager {
 	}
 
 	function formatRow( $row ) {
-		$rowClass = $this->getRowClass( $row );
+		$rowClass = htmlspecialchars( $this->getRowClass( $row ) );
 		$s = "<tr class=\"$rowClass\">\n";
 		$fieldNames = $this->getFieldNames();
 		$this->mCurrentRow = $row;  # In case formatValue needs to know
@@ -763,6 +763,10 @@ abstract class TablePager extends IndexPager {
 		return $s;
 	}
 
+	/**
+	 * Get a class name to be applied to the given row.
+	 * @param object $row The database result row
+	 */
 	function getRowClass($row) {
 		return '';
 	}
-- 
2.20.1