Live fix: escape <, >, and " chars that sneak into tables, etc due to parser ordering...

author Brion Vibber <brion@users.mediawiki.org>

Sun, 2 Apr 2006 04:09:42 +0000 (04:09 +0000)

committer Brion Vibber <brion@users.mediawiki.org>

Sun, 2 Apr 2006 04:09:42 +0000 (04:09 +0000)
author Brion Vibber <brion@users.mediawiki.org>
Sun, 2 Apr 2006 04:09:42 +0000 (04:09 +0000)
committer Brion Vibber <brion@users.mediawiki.org>
Sun, 2 Apr 2006 04:09:42 +0000 (04:09 +0000)
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php

index 45f7a49..37b2389 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -577,6 +577,9 @@ class Sanitizer {
                         # Templates and links may be expanded in later parsing,
                         # creating invalid or dangerous output. Suppress this.
                         $value = strtr( $value, array(
+                               '<'    => '&lt;',   // This should never happen,
+                               '>'    => '&gt;',   // we've received invalid input
+                               '"'    => '&quot;', // which should have been escaped.
                                 '{'    => '&#123;',
                                 '['    => '&#91;',
                                 "''"   => '&#39;&#39;',
author	Brion Vibber <brion@users.mediawiki.org>
	Sun, 2 Apr 2006 04:09:42 +0000 (04:09 +0000)
committer	Brion Vibber <brion@users.mediawiki.org>
	Sun, 2 Apr 2006 04:09:42 +0000 (04:09 +0000)