global $wgUseSiteJs;
if ($wgUseSiteJs) {
if ($wgUser->isLoggedIn()) {
- $r .= "<script type=\"$wgJsMimeType\" src=\"".urlencode(self::makeUrl('-','action=raw&smaxage=0&gen=js'))."\"><!-- site js --></script>\n";
+ $r .= "<script type=\"$wgJsMimeType\" src=\"".htmlspecialchars(self::makeUrl('-','action=raw&smaxage=0&gen=js'))."\"><!-- site js --></script>\n";
} else {
- $r .= "<script type=\"$wgJsMimeType\" src=\"".urlencode(self::makeUrl('-','action=raw&gen=js'))."\"><!-- site js --></script>\n";
+ $r .= "<script type=\"$wgJsMimeType\" src=\"".htmlspecialchars(self::makeUrl('-','action=raw&gen=js'))."\"><!-- site js --></script>\n";
}
}
if( $wgAllowUserJs && $wgUser->isLoggedIn() ) {
</p>
!! end
+# This isn't needed for XHTML conformance, but would be handy as a fallback security measure
+!! test
+TODO: Always escape literal '>' in output, not just after '<'
+!! input
+><>
+!! result
+<p>><>
+</p>
+!! end
+
!! test
Template caching
!! input