From e221d194c41a7f7675c61dc69c259dec1d63012a Mon Sep 17 00:00:00 2001 From: Timo Tijhof Date: Tue, 12 May 2015 01:50:28 +0100 Subject: [PATCH] resourceloader: Use makeComment() in tryRespondFromFileCache() for safety Other code paths in this class already make use of this method, but this was still embedding arbitrary strings directly, at the risk of producting invalid CSS or invalid JavaScript. Change-Id: Ied6c420536a3dd1ef8f3816a078705136e8475b1 --- includes/resourceloader/ResourceLoader.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/resourceloader/ResourceLoader.php b/includes/resourceloader/ResourceLoader.php index ce18c32add..55dc16e7a8 100644 --- a/includes/resourceloader/ResourceLoader.php +++ b/includes/resourceloader/ResourceLoader.php @@ -808,7 +808,7 @@ class ResourceLoader { // Capture any PHP warnings from the output buffer and append them to the // response in a comment if we're in debug mode. if ( $context->getDebug() && strlen( $warnings = ob_get_contents() ) ) { - $response = "/*\n$warnings\n*/\n" . $response; + $response = self::makeComment( $warnings ) . $response; } // Send content type and cache headers $this->sendResponseHeaders( $context, $ts, false ); -- 2.20.1