* (bug 25451) Improved datetime representation in 32 bit php >= 5.2.
* Show "skin does not exist error" only when the skin is inputted in the wrong
case.
+* (bug 26164) Potential html injection when the database server isn't available
=== API changes in 1.17 ===
* (bug 22738) Allow filtering by action type on query=logevent.
header( 'Pragma: nocache' );
}
- $title = $this->getPageTitle();
+ $logo = htmlspecialchars( $wgLogo, ENT_QUOTES );
+ $title = htmlspecialchars( $this->getPageTitle() );
+
return "<html>
<head>
<title>$title</title>
</head>
<body>
- <h1><img src='$wgLogo' style='float:left;margin-right:1em' alt=''/>$title</h1>
+ <h1><img src='$logo' style='float:left;margin-right:1em' alt=''/>$title</h1>
";
}
}
function searchForm() {
- global $wgSitename, $wgServer, $wgLang, $wgInputEncoding;
+ global $wgSitename, $wgServer, $wgLang;
$usegoogle = "You can try searching via Google in the meantime.";
$outofdate = "Note that their indexes of our content may be out of date.";
$search = htmlspecialchars( @$_REQUEST['search'] );
+ $server = htmlspecialchars( $wgServer );
+ $sitename = htmlspecialchars( $wgSitename );
+
$trygoogle = <<<EOT
<div style="margin: 1.5em">$usegoogle<br />
<small>$outofdate</small></div>
<!-- SiteSearch Google -->
<form method="get" action="http://www.google.com/search" id="googlesearch">
- <input type="hidden" name="domains" value="$wgServer" />
+ <input type="hidden" name="domains" value="$server" />
<input type="hidden" name="num" value="50" />
- <input type="hidden" name="ie" value="$wgInputEncoding" />
- <input type="hidden" name="oe" value="$wgInputEncoding" />
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
<input type="text" name="q" size="31" maxlength="255" value="$search" />
<input type="submit" name="btnG" value="$googlesearch" />
<div>
- <input type="radio" name="sitesearch" id="gwiki" value="$wgServer" checked="checked" /><label for="gwiki">$wgSitename</label>
+ <input type="radio" name="sitesearch" id="gwiki" value="$server" checked="checked" /><label for="gwiki">$sitename</label>
<input type="radio" name="sitesearch" id="gWWW" value="" /><label for="gWWW">WWW</label>
</div>
</form>