From 366b3477953f0a32d8b93ad36218c0953b3cdc2f Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Mon, 5 Jan 2009 20:46:43 +0000
Subject: [PATCH] Follow-up to r45425 -- bug was in MWSearch, not core. It's
 supposed to be HTML-formatted, but was being built unsafely. Adding a comment
 on SearchEngine to clarify that getSuggestionSnippet() returns HTML

---
 RELEASE-NOTES                       | 1 -
 includes/SearchEngine.php           | 2 +-
 includes/specials/SpecialSearch.php | 4 ++--
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 604162b28a..14dce00ecb 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -468,7 +468,6 @@ The following extensions are migrated into MediaWiki 1.14:
   that STDIN can be used for page list
 * Sanitizer::decodeCharReferences() now decodes the XHTML "&apos;" character
   entity (loosely related to bug 14365)
-* Fix XSS in Special:Search with extended engine features ("did you mean")
 
 === API changes in 1.14 ===
 
diff --git a/includes/SearchEngine.php b/includes/SearchEngine.php
index db7431e36f..3ea0341d8c 100644
--- a/includes/SearchEngine.php
+++ b/includes/SearchEngine.php
@@ -470,7 +470,7 @@ class SearchResultSet {
 	}
 
 	/**
-	 * @return string highlighted suggested query, '' if none
+	 * @return string HTML highlighted suggested query, '' if none
 	 */
 	function getSuggestionSnippet(){
 		return '';
diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php
index c7678d22e7..f3117242d1 100644
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -169,7 +169,7 @@ class SpecialSearch {
 				$this->powerSearchOptions()
 			);
 			$suggestLink = $sk->makeKnownLinkObj( $st,
-				htmlspecialchars( $textMatches->getSuggestionSnippet() ),
+				$textMatches->getSuggestionSnippet(),
 				$stParams );
 
 			$this->didYouMeanHtml = '<div class="searchdidyoumean">'.wfMsg('search-suggest',$suggestLink).'</div>';
@@ -947,7 +947,7 @@ class SpecialSearchOld {
 					$this->powerSearchOptions());
 					
 			$suggestLink = $sk->makeKnownLinkObj( $st,
-				htmlspecialchars( $textMatches->getSuggestionSnippet() ),
+				$textMatches->getSuggestionSnippet(),
 				$stParams );
 			 		
 			$wgOut->addHTML('<div class="searchdidyoumean">'.wfMsg('search-suggest',$suggestLink).'</div>');
-- 
2.20.1