From 643dad9da36bc74258a4c11e6eff71018045ea23 Mon Sep 17 00:00:00 2001
From: Aryeh Gregor <simetrical@users.mediawiki.org>
Date: Thu, 20 Aug 2009 21:30:47 +0000
Subject: [PATCH] Remove somewhat braindead comments

On second thought, if you're outputting user-supplied JS without careful
validation, it doesn't really matter if it's HTML-escaped or not.  :D
CSS has expr() and such too.
---
 includes/Html.php | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/includes/Html.php b/includes/Html.php
index 57f9ba012c..ae10ac6141 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -194,10 +194,6 @@ class Html {
 	 * escaping as well, like if $contents contains literal '</script>' or (for
 	 * XML) literal "]]>".
 	 *
-	 * Note that $contents will not be escaped, since JS may legitimately
-	 * contain unescaped characters like "<".  Make sure you don't output
-	 * untrusted user input here!
-	 *
 	 * @param $contents string JavaScript
 	 * @return string Raw HTML
 	 */
@@ -234,10 +230,6 @@ class Html {
 	 * (if any).  TODO: do some useful escaping as well, like if $contents
 	 * contains literal '</style>' (admittedly unlikely).
 	 *
-	 * Note that $contents will not be escaped, since CSS may legitimately
-	 * contain unescaped characters like "<".  Make sure you don't output
-	 * untrusted user input here!
-	 *
 	 * @param $contents string CSS
 	 * @param $media mixed A media type string, like 'screen', or null for all
 	 *   media
-- 
2.20.1