Actually, Sanitizer::encodeAttribute() was broken, so my last fix didn't actually...

author Aryeh Gregor <simetrical@users.mediawiki.org>

Mon, 24 Sep 2007 12:54:00 +0000 (12:54 +0000)

committer Aryeh Gregor <simetrical@users.mediawiki.org>

Mon, 24 Sep 2007 12:54:00 +0000 (12:54 +0000)
author Aryeh Gregor <simetrical@users.mediawiki.org>
Mon, 24 Sep 2007 12:54:00 +0000 (12:54 +0000)
committer Aryeh Gregor <simetrical@users.mediawiki.org>
Mon, 24 Sep 2007 12:54:00 +0000 (12:54 +0000)
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php

index f2dcbf9..c1c8daf 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -725,7 +725,7 @@ class Sanitizer {
          * @return HTML-encoded text fragment
          */
         static function encodeAttribute( $text ) {
-               $encValue = htmlspecialchars( $text );
+               $encValue = htmlspecialchars( $text, ENT_QUOTES );
  
                 // Whitespace is normalized during attribute decoding,
                 // so if we've been passed non-spaces we must encode them
author	Aryeh Gregor <simetrical@users.mediawiki.org>
	Mon, 24 Sep 2007 12:54:00 +0000 (12:54 +0000)
committer	Aryeh Gregor <simetrical@users.mediawiki.org>
	Mon, 24 Sep 2007 12:54:00 +0000 (12:54 +0000)