From 6520a626bd2008f7d31d330dfb5cff5dde5ec10e Mon Sep 17 00:00:00 2001 From: Roan Kattouw Date: Fri, 22 Apr 2011 10:47:13 +0000 Subject: [PATCH] (bug 26603) Followup r82232: fix double-escaping of returnto and returntoquery. Was caused by using two sources ($this->thisurl and $wgRequest) where one was already escaped and the other wasn't, then unconditionally escaping the result. --- includes/SkinTemplate.php | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/includes/SkinTemplate.php b/includes/SkinTemplate.php index 490621a991..9b656854f8 100644 --- a/includes/SkinTemplate.php +++ b/includes/SkinTemplate.php @@ -566,10 +566,26 @@ class SkinTemplate extends Skin { /* set up the default links for the personal toolbar */ $personal_urls = array(); - $page = $wgRequest->getVal( 'returnto', $this->thisurl ); - $query = $wgRequest->getVal( 'returntoquery', $this->thisquery ); - $returnto = wfArrayToCGI( array( 'returnto' => $page ) ); - if( $this->thisquery != '' ) { + + // Get the returnto and returntoquery parameters from the query string + // or fall back on $this->thisurl or $this->thisquery + // We can't use getVal()'s default value feature here because + // stuff from $wgRequest needs to be escaped, but thisurl and thisquery + // are already escaped. + $page = $wgRequest->getVal( 'returnto' ); + if ( !is_null( $page ) ) { + $page = wfUrlencode( $page ); + } else { + $page = $this->thisurl; + } + $query = $wgRequest->getVal( 'returntoquery' ); + if ( !is_null( $query ) ) { + $query = wfUrlencode( $query ); + } else { + $query = $this->thisquery; + } + $returnto = "returnto=$page"; + if( $query != '' ) { $returnto .= "&returntoquery=$query"; } if( $this->loggedin ) { -- 2.20.1