From af70c2893807e255b0af75f0191c92484c901719 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Thu, 28 Apr 2005 23:06:47 +0000 Subject: [PATCH] Restore htmlspecialchars() on the editToken value before outputting to HTML. While at the moment the editToken() value is safe for literal inclusion is HTML output, it's a black-box value to the rest of the code and such safety is not guaranteed. Escaping text values being placed in HTML/XML attributes or text elements is a regular part of the output process and it's a bad habit to leave it out on text values that are produced elsewhere; they can and do change (such as all those localized messages which are now user-editable...) --- includes/EditPage.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/EditPage.php b/includes/EditPage.php index bbe980ab59..7f042cafec 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -692,7 +692,7 @@ END * we won't save the page, or render user JavaScript and * CSS previews. */ - $token = $wgUser->editToken(); + $token = htmlspecialchars( $wgUser->editToken() ); $wgOut->addHTML( " \n" ); } -- 2.20.1