From: Aryeh Gregor <simetrical@users.mediawiki.org>
Date: Sun, 19 Apr 2009 17:07:41 +0000 (+0000)
Subject: Fix braindead wrong escaping from r49017, r49018
X-Git-Tag: 1.31.0-rc.0~42108
X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/membres/fiche.php?a=commitdiff_plain;h=5512ee6ad43462adb85f033b04950a12e9261c25;p=lhc%2Fweb%2Fwiklou.git

Fix braindead wrong escaping from r49017, r49018

URL encoding != HTML encoding!

Thanks for report by Tbleher at:

http://www.mediawiki.org/wiki/Special:Code/MediaWiki/49017#c2228
---

diff --git a/includes/ChangesList.php b/includes/ChangesList.php
index 3e34fe40c8..3efa66f9c5 100644
--- a/includes/ChangesList.php
+++ b/includes/ChangesList.php
@@ -578,13 +578,13 @@ class EnhancedChangesList extends ChangesList {
 			if ( $rc_type != RC_NEW ) {
 				$curLink = $this->message['cur'];
 			} else {
-				$curUrl = wfUrlencode( $rc->getTitle()->getLinkUrl( $querycur ) );
+				$curUrl = htmlspecialchars( $rc->getTitle()->getLinkUrl( $querycur ) );
 				$curLink = "<a href=\"$curUrl\" tabindex=\"{$baseRC->counter}\">{$this->message['cur']}</a>";
 			}
 			$diffLink = $this->message['diff'];
 		} else {
-			$diffUrl = wfUrlencode( $rc->getTitle()->getLinkUrl( $querydiff ) );
-			$curUrl = wfUrlencode( $rc->getTitle()->getLinkUrl( $querycur ) );
+			$diffUrl = htmlspecialchars( $rc->getTitle()->getLinkUrl( $querydiff ) );
+			$curUrl = htmlspecialchars( $rc->getTitle()->getLinkUrl( $querycur ) );
 			$diffLink = "<a href=\"$diffUrl\" tabindex=\"{$baseRC->counter}\">{$this->message['diff']}</a>";
 			$curLink = "<a href=\"$curUrl\" tabindex=\"{$baseRC->counter}\">{$this->message['cur']}</a>";
 		}
diff --git a/includes/Title.php b/includes/Title.php
index 782169cbf9..9968f9ab8f 100644
--- a/includes/Title.php
+++ b/includes/Title.php
@@ -854,6 +854,9 @@ class Title {
 	 * there's a fragment but the prefixed text is empty, we just return a link
 	 * to the fragment.
 	 *
+	 * The result obviously should not be URL-escaped, but does need to be
+	 * HTML-escaped if it's being output in HTML.
+	 *
 	 * @param $query \type{\arrayof{\string}} An associative array of key => value pairs for the
 	 *   query string.  Keys and values will be escaped.
 	 * @param $variant \type{\string} Language variant of URL (for sr, zh..).  Ignored