* Fix for HTML/JS injection bug in variable handler (found by Nick Jenkins)

author Brion Vibber <brion@users.mediawiki.org>

Tue, 23 May 2006 04:15:37 +0000 (04:15 +0000)

committer Brion Vibber <brion@users.mediawiki.org>

Tue, 23 May 2006 04:15:37 +0000 (04:15 +0000)
author Brion Vibber <brion@users.mediawiki.org>
Tue, 23 May 2006 04:15:37 +0000 (04:15 +0000)
committer Brion Vibber <brion@users.mediawiki.org>
Tue, 23 May 2006 04:15:37 +0000 (04:15 +0000)
diff --git a/RELEASE-NOTES b/RELEASE-NOTES

index ffae1a7..9fa2822 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -315,6 +315,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
  * (bug 6046) Update to Indonesian localisation (id) #15
  * (bug 5523) $wgNoFollowNsExceptions to allow disabling rel="nofollow" in
    specially-selected namespaces.
+* Fix for HTML/JS injection bug in variable handler (found by Nick Jenkins)
  
  
  == Compatibility ==
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php

index 7845419..93745c7 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -602,6 +602,7 @@ class Sanitizer {
                                 'ISBN' => '&#73;SBN',
                                 'RFC'  => '&#82;FC',
                                 'PMID' => '&#80;MID',
+                               '|'    => '&#124;',
                         ) );
  
                         # Stupid hack
author	Brion Vibber <brion@users.mediawiki.org>
	Tue, 23 May 2006 04:15:37 +0000 (04:15 +0000)
committer	Brion Vibber <brion@users.mediawiki.org>
	Tue, 23 May 2006 04:15:37 +0000 (04:15 +0000)
RELEASE-NOTES		patch \| blob \| history
includes/Sanitizer.php		patch \| blob \| history