While at the moment the editToken() value is safe for literal inclusion is HTML output, it's a black-box value to the rest of the code and such safety is not guaranteed. Escaping text values being placed in HTML/XML attributes or text elements is a regular part of the output process and it's a bad habit to leave it out on text values that are produced elsewhere; they can and do change (such as all those localized messages which are now user-editable...)
* we won't save the page, or render user JavaScript and
* CSS previews.
*/
- $token = $wgUser->editToken();
+ $token = htmlspecialchars( $wgUser->editToken() );
$wgOut->addHTML( "
<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n" );
}