From f16d1e4ed70cd5a8fa6ae6ca8bb71bfe62f4f47e Mon Sep 17 00:00:00 2001
From: Philip Tzou <philip@users.mediawiki.org>
Date: Tue, 25 Jan 2011 18:33:21 +0000
Subject: [PATCH] LanguageConverter::captionConvert(): remove HTML tags and
 escape HTML special chars to prevent disrupting the layout.

---
 languages/LanguageConverter.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/languages/LanguageConverter.php b/languages/LanguageConverter.php
index 2cfcb4d7f3..5b46b57bca 100644
--- a/languages/LanguageConverter.php
+++ b/languages/LanguageConverter.php
@@ -308,14 +308,23 @@ class LanguageConverter {
 	 * @return String like ' alt="yyyy"' or ' title="yyyy"'
 	 */
 	protected function captionConvert( $matches ) {
+	  // TODO: cache the preferred variant in every autoConvert() process,
+	  // this helps improve performance in a way.
 		$toVariant = $this->getPreferredVariant();
 		$title = $matches[1];
-		$text  = $matches[2];
+		$text = $matches[2];
+		
 		// we convert captions except URL
 		if ( !strpos( $text, '://' ) ) {
 			$text = $this->translate( $text, $toVariant );
 		}
-		return " $title=\"$text\"";
+		
+		// remove HTML tags to prevent disrupting the layout
+		$text = preg_replace( '/<[^>]+>/', '', $text );
+		// escape HTML special chars to prevent disrupting the layout
+		$text = htmlspecialchars( $text );
+		
+		return " {$title}=\"{$text}\"";
 	}
 
 	/**
-- 
2.20.1