From: Brian Wolff <bawolff+wn@gmail.com>
Date: Wed, 13 Jun 2018 15:28:20 +0000 (+0000)
Subject: Paranoia, escape image alignment parameters before outputting.
X-Git-Tag: 1.34.0-rc.0~4298^2
X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/membres/fiche.php?a=commitdiff_plain;h=d370c51df10ad6a53c0c99f94d19c8ce4db5a059;p=lhc%2Fweb%2Fwiklou.git

Paranoia, escape image alignment parameters before outputting.

The alignment parameter is totally safe (See the very convoluted
code in the parser) but its best practise to escape things right
before the output. Additionally this protects in case any extension
uses a hook to do anything silly.

Change-Id: Ie19b106409d55c704b69280e2d0e2bb29068bd2e
---

diff --git a/includes/Linker.php b/includes/Linker.php
index 89a6a108ac..adc0297065 100644
--- a/includes/Linker.php
+++ b/includes/Linker.php
@@ -431,7 +431,11 @@ class Linker {
 			$s = $thumb->toHtml( $params );
 		}
 		if ( $frameParams['align'] != '' ) {
-			$s = "<div class=\"float{$frameParams['align']}\">{$s}</div>";
+			$s = Html::rawElement(
+				'div',
+				[ 'class' => 'float' . $frameParams['align'] ],
+				$s
+			);
 		}
 		return str_replace( "\n", ' ', $prefix . $s . $postfix );
 	}