LanguageConverter::captionConvert(): remove HTML tags and escape HTML special chars...

author Philip Tzou <philip@users.mediawiki.org>

Tue, 25 Jan 2011 18:33:21 +0000 (18:33 +0000)

committer Philip Tzou <philip@users.mediawiki.org>

Tue, 25 Jan 2011 18:33:21 +0000 (18:33 +0000)
author Philip Tzou <philip@users.mediawiki.org>
Tue, 25 Jan 2011 18:33:21 +0000 (18:33 +0000)
committer Philip Tzou <philip@users.mediawiki.org>
Tue, 25 Jan 2011 18:33:21 +0000 (18:33 +0000)
diff --git a/languages/LanguageConverter.php b/languages/LanguageConverter.php

index 2cfcb4d..5b46b57 100644 (file)
--- a/languages/LanguageConverter.php
+++ b/languages/LanguageConverter.php
@@ -308,14 +308,23 @@ class LanguageConverter {
          * @return String like ' alt="yyyy"' or ' title="yyyy"'
          */
         protected function captionConvert( $matches ) {
+         // TODO: cache the preferred variant in every autoConvert() process,
+         // this helps improve performance in a way.
                 $toVariant = $this->getPreferredVariant();
                 $title = $matches[1];
-               $text  = $matches[2];
+               $text = $matches[2];
+               
                 // we convert captions except URL
                 if ( !strpos( $text, '://' ) ) {
                         $text = $this->translate( $text, $toVariant );
                 }
-               return " $title=\"$text\"";
+               
+               // remove HTML tags to prevent disrupting the layout
+               $text = preg_replace( '/<[^>]+>/', '', $text );
+               // escape HTML special chars to prevent disrupting the layout
+               $text = htmlspecialchars( $text );
+               
+               return " {$title}=\"{$text}\"";
         }
  
         /**
author	Philip Tzou <philip@users.mediawiki.org>
	Tue, 25 Jan 2011 18:33:21 +0000 (18:33 +0000)
committer	Philip Tzou <philip@users.mediawiki.org>
	Tue, 25 Jan 2011 18:33:21 +0000 (18:33 +0000)