(bug 37587) Enforce language codes to be html safe

Fixes bug 37587 and many other issues which
might or might not have been reported yet.

Change-Id: I612b90931a0261990bcd294fdb12cfba930c8c2f

diff --git a/languages/Language.php b/languages/Language.php
index b531f2a..4d73acb 100644 (file)
--- a/languages/Language.php
+++ b/languages/Language.php
@@ -246,7 +246,11 @@ class Language {
         */
        public static function isValidCode( $code ) {
                return
-                       strcspn( $code, ":/\\\000" ) === strlen( $code )
+                       // People think language codes are html safe, so enforce it.
+                       // Ideally we should only allow a-zA-Z0-9-
+                       // but, .+ and other chars are often used for {{int:}} hacks
+                       // see bugs 37564, 37587, 36938
+                       strcspn( $code, ":/\\\000&<>'\"" ) === strlen( $code )
                        && !preg_match( Title::getTitleInvalidRegex(), $code );
        }