From: Niklas Laxström <niklas.laxstrom@gmail.com>
Date: Thu, 28 Jun 2012 14:52:56 +0000 (+0000)
Subject: (bug 37587) Enforce language codes to be html safe
X-Git-Tag: 1.31.0-rc.0~23044^2
X-Git-Url: http://git.cyclocoop.org/%28?a=commitdiff_plain;h=f06864bce857e1fe847607c90da6e8f88188bd1f;p=lhc%2Fweb%2Fwiklou.git

(bug 37587) Enforce language codes to be html safe

Fixes bug 37587 and many other issues which
might or might not have been reported yet.

Change-Id: I612b90931a0261990bcd294fdb12cfba930c8c2f
---

diff --git a/languages/Language.php b/languages/Language.php
index b531f2a376..4d73acb6ad 100644
--- a/languages/Language.php
+++ b/languages/Language.php
@@ -246,7 +246,11 @@ class Language {
 	 */
 	public static function isValidCode( $code ) {
 		return
-			strcspn( $code, ":/\\\000" ) === strlen( $code )
+			// People think language codes are html safe, so enforce it.
+			// Ideally we should only allow a-zA-Z0-9-
+			// but, .+ and other chars are often used for {{int:}} hacks
+			// see bugs 37564, 37587, 36938
+			strcspn( $code, ":/\\\000&<>'\"" ) === strlen( $code )
 			&& !preg_match( Title::getTitleInvalidRegex(), $code );
 	}