ChangesList: HTML escape the timestamp

author Brian Wolff <bawolff+wn@gmail.com>

Fri, 6 Jul 2018 01:02:45 +0000 (01:02 +0000)

committer Legoktm <legoktm@member.fsf.org>

Thu, 2 Aug 2018 09:47:49 +0000 (09:47 +0000)
author Brian Wolff <bawolff+wn@gmail.com>
Fri, 6 Jul 2018 01:02:45 +0000 (01:02 +0000)
committer Legoktm <legoktm@member.fsf.org>
Thu, 2 Aug 2018 09:47:49 +0000 (09:47 +0000)
diff --git a/includes/changes/ChangesList.php b/includes/changes/ChangesList.php

index facf29e..ac8b3d4 100644 (file)
--- a/includes/changes/ChangesList.php
+++ b/includes/changes/ChangesList.php
@@ -531,10 +531,10 @@ class ChangesList extends ContextSource {
         public function getTimestamp( $rc ) {
                 // @todo FIXME: Hard coded ". .". Is there a message for this? Should there be?
                 return $this->message['semicolon-separator'] . '<span class="mw-changeslist-date">' .
-                       $this->getLanguage()->userTime(
+                       htmlspecialchars( $this->getLanguage()->userTime(
                                 $rc->mAttribs['rc_timestamp'],
                                 $this->getUser()
-                       ) . '</span> <span class="mw-changeslist-separator">. .</span> ';
+                       ) ) . '</span> <span class="mw-changeslist-separator">. .</span> ';
         }
  
         /**
author	Brian Wolff <bawolff+wn@gmail.com>
	Fri, 6 Jul 2018 01:02:45 +0000 (01:02 +0000)
committer	Legoktm <legoktm@member.fsf.org>
	Thu, 2 Aug 2018 09:47:49 +0000 (09:47 +0000)