dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: bbb1131) | patch
(bug 36938) XSS in uselang parameter
authorCatrope <roan.kattouw@gmail.com>
Fri, 18 May 2012 19:00:57 +0000 (12:00 -0700)
committerCatrope <roan.kattouw@gmail.com>
Fri, 18 May 2012 19:00:57 +0000 (12:00 -0700)
commit44f9adbdf04c0d0f3a82527cae6e669317b49666
treecd0f1b408324b10ef6e91aed96b855ba8cdc5365tree | snapshot
parentbbb113150125378e1a89edc58d0c228d05cafe87commit | diff
(bug 36938) XSS in uselang parameter

This was caused by the value of getHtmlCode() being injected directly
into HTML without escaping. Despite its name, the return value of
getHtmlCode() is not actually HTML-safe.

Fixed by escaping the language code, wrapping it in double quotes
instead of single quotes, and explicitly documenting that getHtmlCode()
and getCode() do not return HTML-safe values.

Change-Id: I3a908484ba3d4999d7a61ac162617144ca7e703a
includes/SkinTemplate.php diff | blob | history
languages/Language.php diff | blob | history
Wiklou, le Wiki du Wiklou