From f3a89bb4d0048756e9f7fb5765cf0d5c39db2943 Mon Sep 17 00:00:00 2001
From: Platonides <platonides@users.mediawiki.org>
Date: Mon, 26 Jul 2010 17:41:14 +0000
Subject: [PATCH] Close the web page when it is disabled. Fix XSS in filter
 parameter. Normal setups (with $wgEnableProfileInfo = false) are not
 affected.

---
 profileinfo.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/profileinfo.php b/profileinfo.php
index cd324f9e7a..9ef91a4411 100644
--- a/profileinfo.php
+++ b/profileinfo.php
@@ -65,7 +65,8 @@ require_once( './includes/WebStart.php' );
 <?php
 
 if ( !$wgEnableProfileInfo ) {
-	echo "disabled\n";
+	echo "<p>Disabled</p>\n";
+	echo "</body></html>";
 	exit( 1 );
 }
 
@@ -251,8 +252,8 @@ function makeurl( $_filter = false, $_sort = false, $_expand = false ) {
 	if ( $_expand === false )
 		$_expand = $expand;
 
-	$nfilter = $_filter ? $_filter : $filter;
-	$nsort = $_sort ? $_sort : $sort;
+	$nfilter = $_filter ? htmlspecialchars( $_filter ) : htmlspecialchars( $filter );
+	$nsort = $_sort ? htmlspecialchars( $_sort ) : htmlspecialchars( $sort );
 	$exp = urlencode( implode( ',', array_keys( $_expand ) ) );
 	return "?filter=$nfilter&amp;sort=$nsort&amp;expand=$exp";
 }
-- 
2.20.1