Merge "(bug 37587) Enforce language codes to be html safe"

[lhc/web/wiklou.git] / languages / Language.php

diff --git a/languages/Language.php b/languages/Language.php
index 85b9fab..430209d 100644 (file)
--- a/languages/Language.php
+++ b/languages/Language.php
@@ -246,7 +246,11 @@ class Language {
         */
        public static function isValidCode( $code ) {
                return
-                       strcspn( $code, ":/\\\000" ) === strlen( $code )
+                       // People think language codes are html safe, so enforce it.
+                       // Ideally we should only allow a-zA-Z0-9-
+                       // but, .+ and other chars are often used for {{int:}} hacks
+                       // see bugs 37564, 37587, 36938
+                       strcspn( $code, ":/\\\000&<>'\"" ) === strlen( $code )
                        && !preg_match( Title::getTitleInvalidRegex(), $code );
        }
 
@@ -256,6 +260,7 @@ class Language {
         *
         * @param $code string
         *
+        * @throws MWException
         * @since 1.18
         * @return bool
         */
@@ -3906,7 +3911,7 @@ class Language {
        /**
         * Decode an expiry (block, protection, etc) which has come from the DB
         *
-        * @FIXME: why are we returnings DBMS-dependent strings???
+        * @todo FIXME: why are we returnings DBMS-dependent strings???
         *
         * @param $expiry String: Database expiry String
         * @param $format Bool|Int true to process using language functions, or TS_ constant
@@ -4115,7 +4120,7 @@ class Language {
         * @param $title Title object to link
         * @param $offset Integer offset parameter
         * @param $limit Integer limit parameter
-        * @param $query String optional URL query parameter string
+        * @param $query array|String optional URL query parameter string
         * @param $atend Bool optional param for specified if this is the last page
         * @return String
         */