Reverting r25082:

Do not restore security vulnerabilities to the codebase after a security release.
Especially don't MAKE THEM WORSE IN THE PROCESS.

diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php
index dec6cd3..b69ebaf 100644 (file)
--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -158,6 +158,8 @@ See <a href='http://www.mediawiki.org/wiki/API'>complete documentation</a>, or
        * This method also replaces any '<' with &lt;
        */
        protected function formatHTML($text) {
+               // Escape everything first for full coverage
+               $text = htmlspecialchars($text);
                
                // encode all comments or tags as safe blue strings
                $text = preg_replace('/\&lt;(!--.*?--|.*?)\&gt;/', '<span style="color:blue;">&lt;\1&gt;</span>', $text);