*/
public static function isValidCode( $code ) {
return
- strcspn( $code, ":/\\\000" ) === strlen( $code )
+ // People think language codes are html safe, so enforce it.
+ // Ideally we should only allow a-zA-Z0-9-
+ // but, .+ and other chars are often used for {{int:}} hacks
+ // see bugs 37564, 37587, 36938
+ strcspn( $code, ":/\\\000&<>'\"" ) === strlen( $code )
&& !preg_match( Title::getTitleInvalidRegex(), $code );
}
*
* @param $code string
*
+ * @throws MWException
* @since 1.18
* @return bool
*/
/**
* Decode an expiry (block, protection, etc) which has come from the DB
*
- * @FIXME: why are we returnings DBMS-dependent strings???
+ * @todo FIXME: why are we returnings DBMS-dependent strings???
*
* @param $expiry String: Database expiry String
* @param $format Bool|Int true to process using language functions, or TS_ constant
* @param $title Title object to link
* @param $offset Integer offset parameter
* @param $limit Integer limit parameter
- * @param $query String optional URL query parameter string
+ * @param $query array|String optional URL query parameter string
* @param $atend Bool optional param for specified if this is the last page
* @return String
*/