In OutputPage::addScriptFile(): escape attributes for HTML. No XSS, just good practice.

author Tim Starling <tstarling@users.mediawiki.org>

Wed, 1 Apr 2009 08:50:57 +0000 (08:50 +0000)

committer Tim Starling <tstarling@users.mediawiki.org>

Wed, 1 Apr 2009 08:50:57 +0000 (08:50 +0000)
author Tim Starling <tstarling@users.mediawiki.org>
Wed, 1 Apr 2009 08:50:57 +0000 (08:50 +0000)
committer Tim Starling <tstarling@users.mediawiki.org>
Wed, 1 Apr 2009 08:50:57 +0000 (08:50 +0000)
diff --git a/includes/OutputPage.php b/includes/OutputPage.php

index ed9a43d..39a248f 100644 (file)
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -103,7 +103,15 @@ class OutputPage {
                 } else {
                         $path =  "{$wgStylePath}/common/{$file}";
                 }
-               $this->addScript( "<script type=\"{$wgJsMimeType}\" src=\"$path?$wgStyleVersion\"></script>\n" );
+               $this->addScript( 
+                       Xml::element( 'script', 
+                               array(
+                                       'type' => $wgJsMimeType,
+                                       'src' => "$path?$wgStyleVersion",
+                               ),
+                               '', false
+                       )
+               );      
         }
         
         /**
author	Tim Starling <tstarling@users.mediawiki.org>
	Wed, 1 Apr 2009 08:50:57 +0000 (08:50 +0000)
committer	Tim Starling <tstarling@users.mediawiki.org>
	Wed, 1 Apr 2009 08:50:57 +0000 (08:50 +0000)