dépôts / lhc / web / wiklou.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6e18e5c)
SECURITY: escape sortKey in pageInfo
authorcsteipp <csteipp@wikimedia.org>
Sat, 29 Mar 2014 05:39:57 +0000 (22:39 -0700)
committermglaser <glaser@hallowelt.biz>
Thu, 24 Apr 2014 19:52:22 +0000 (21:52 +0200)
DEFAULTSORT isn't escaped before being added to the action=info table.

Bug: 63251
Change-Id: I087bfde8cbc69c3507f68ee3cb6e22aba0ffa7db

includes/actions/InfoAction.php patch | blob | history

diff --git a/includes/actions/InfoAction.php b/includes/actions/InfoAction.php
index 06e3667..6b25460 100644 (file)
--- a/includes/actions/InfoAction.php
+++ b/includes/actions/InfoAction.php
@@ -262,6 +262,7 @@ class InfoAction extends FormlessAction {
                        $sortKey = $pageProperties['defaultsort'];
                }
 
+               $sortKey = htmlspecialchars( $sortKey );
                $pageInfo['header-basic'][] = array( $this->msg( 'pageinfo-default-sort' ), $sortKey );
 
                // Page length (in bytes)
Wiklou, le Wiki du Wiklou