SECURITY: Improve cross-domain-policy mangling

[lhc/web/wiklou.git] / includes / api / ApiFormatJson.php

diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php
index 36cbbd9..814450e 100644 (file)
--- a/includes/api/ApiFormatJson.php
+++ b/includes/api/ApiFormatJson.php
@@ -42,7 +42,7 @@ class ApiFormatJson extends ApiFormatBase {
                        # outside the control of the end user.
                        # (and do it here because ApiMain::reportUnusedParams() gets called
                        # before our ::execute())
-                       $this->getMain()->getCheck( '_' );
+                       $this->getMain()->markParamsUsed( '_' );
                }
        }
 
@@ -103,9 +103,9 @@ class ApiFormatJson extends ApiFormatBase {
                // Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in
                // Flash, but what it does isn't friendly for the API, so we need to
                // work around it.
-               if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $json ) ) {
+               if ( preg_match( '/\<\s*cross-domain-policy(?=\s|\>)/i', $json ) ) {
                        $json = preg_replace(
-                               '/\<(\s*cross-domain-policy\s*)\>/i', '\\u003C$1\\u003E', $json
+                               '/\<(\s*cross-domain-policy(?=\s|\>))/i', '\\u003C$1', $json
                        );
                }