fix xss attack

author River Tarnell <kateturner@users.mediawiki.org>

Thu, 14 Oct 2004 08:58:47 +0000 (08:58 +0000)

committer River Tarnell <kateturner@users.mediawiki.org>

Thu, 14 Oct 2004 08:58:47 +0000 (08:58 +0000)
author River Tarnell <kateturner@users.mediawiki.org>
Thu, 14 Oct 2004 08:58:47 +0000 (08:58 +0000)
committer River Tarnell <kateturner@users.mediawiki.org>
Thu, 14 Oct 2004 08:58:47 +0000 (08:58 +0000)
diff --git a/includes/Credits.php b/includes/Credits.php

index 8228052..ffbeeff 100644 (file)
--- a/includes/Credits.php
+++ b/includes/Credits.php
@@ -74,8 +74,8 @@ function getAuthorCredits($article) {
         $author_credit = wfMsg('anonymous');
      } else {
         
-       $real_name = User::whoIsReal($last_author);
-       $user_name = User::whoIs($last_author);
+       $real_name = htmlspecialchars( User::whoIsReal($last_author) );
+       $user_name = htmlspecialchars( User::whoIs($last_author) );
         
         if (!empty($real_name)) {
             $author_credit = creditLink($user_name, $real_name);
@@ -125,9 +125,9 @@ function getContributorCredits($article, $cnt, $showIfMax) {
      foreach ($contributors as $user_parts) {
         if ($user_parts[0] != 0) {
             if ($wgAllowRealName && !empty($user_parts[2])) {
-               $real_names[] = creditLink($user_parts[1], $user_parts[2]);
+               $real_names[] = htmlspecialchars( creditLink($user_parts[1], $user_parts[2]) );
             } else {
-               $user_names[] = creditLink($user_parts[1]);
+               $user_names[] = htmlspecialchars( creditLink($user_parts[1]) );
             }
         } else {
             $anon = wfMsg('anonymous');
author	River Tarnell <kateturner@users.mediawiki.org>
	Thu, 14 Oct 2004 08:58:47 +0000 (08:58 +0000)
committer	River Tarnell <kateturner@users.mediawiki.org>
	Thu, 14 Oct 2004 08:58:47 +0000 (08:58 +0000)