From: Brion Vibber <brion@users.mediawiki.org>
Date: Mon, 5 Jan 2009 20:46:43 +0000 (+0000)
Subject: Follow-up to r45425 -- bug was in MWSearch, not core. It's supposed to be HTML-format... 
X-Git-Tag: 1.31.0-rc.0~43560
X-Git-Url: http://git.cyclocoop.org/%24href?a=commitdiff_plain;h=366b3477953f0a32d8b93ad36218c0953b3cdc2f;p=lhc%2Fweb%2Fwiklou.git

Follow-up to r45425 -- bug was in MWSearch, not core. It's supposed to be HTML-formatted, but was being built unsafely.
Adding a comment on SearchEngine to clarify that getSuggestionSnippet() returns HTML
---

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 604162b28a..14dce00ecb 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -468,7 +468,6 @@ The following extensions are migrated into MediaWiki 1.14:
   that STDIN can be used for page list
 * Sanitizer::decodeCharReferences() now decodes the XHTML "&apos;" character
   entity (loosely related to bug 14365)
-* Fix XSS in Special:Search with extended engine features ("did you mean")
 
 === API changes in 1.14 ===
 
diff --git a/includes/SearchEngine.php b/includes/SearchEngine.php
index db7431e36f..3ea0341d8c 100644
--- a/includes/SearchEngine.php
+++ b/includes/SearchEngine.php
@@ -470,7 +470,7 @@ class SearchResultSet {
 	}
 
 	/**
-	 * @return string highlighted suggested query, '' if none
+	 * @return string HTML highlighted suggested query, '' if none
 	 */
 	function getSuggestionSnippet(){
 		return '';
diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php
index c7678d22e7..f3117242d1 100644
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -169,7 +169,7 @@ class SpecialSearch {
 				$this->powerSearchOptions()
 			);
 			$suggestLink = $sk->makeKnownLinkObj( $st,
-				htmlspecialchars( $textMatches->getSuggestionSnippet() ),
+				$textMatches->getSuggestionSnippet(),
 				$stParams );
 
 			$this->didYouMeanHtml = '<div class="searchdidyoumean">'.wfMsg('search-suggest',$suggestLink).'</div>';
@@ -947,7 +947,7 @@ class SpecialSearchOld {
 					$this->powerSearchOptions());
 					
 			$suggestLink = $sk->makeKnownLinkObj( $st,
-				htmlspecialchars( $textMatches->getSuggestionSnippet() ),
+				$textMatches->getSuggestionSnippet(),
 				$stParams );
 			 		
 			$wgOut->addHTML('<div class="searchdidyoumean">'.wfMsg('search-suggest',$suggestLink).'</div>');