From 69f96f65dd99e54b84e489e7d957b7526653474c Mon Sep 17 00:00:00 2001 From: csteipp Date: Mon, 15 Apr 2013 13:42:02 -0700 Subject: [PATCH] Sanitize $limitReport before outputting Prevents possible injection of "-->" and other HTML by extensions using the ParserLimitReport hook. bug: 46084 Change-Id: Id97b6668da6df3e5e4c0acefffa00c82cac3c44a --- includes/parser/Parser.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php index 0247d3e143..3ada925a14 100644 --- a/includes/parser/Parser.php +++ b/includes/parser/Parser.php @@ -501,6 +501,11 @@ class Parser { "Highest expansion depth: {$this->mHighestExpansionDepth}/{$this->mOptions->getMaxPPExpandDepth()}\n" . $PFreport; wfRunHooks( 'ParserLimitReport', array( $this, &$limitReport ) ); + + // Sanitize for comment. Note '‐' in the replacement is U+2010, + // which looks much like the problematic '-'. + $limitReport = str_replace( array( '-', '&' ), array( '‐', '&' ), $limitReport ); + $text .= "\n\n"; if ( $this->mGeneratedPPNodeCount > $this->mOptions->getMaxGeneratedPPNodeCount() / 10 ) { -- 2.20.1