From ebb8e31b19c4d6e8e6e584cbda49f0852d4abf66 Mon Sep 17 00:00:00 2001
From: Roan Kattouw <catrope@users.mediawiki.org>
Date: Wed, 29 Apr 2009 15:59:59 +0000
Subject: [PATCH] (bug 18620) Fix some escaping issues in
 TablePager::formatRow() and set $mCurrentRow earlier. Patch by Happy-Melon

---
 includes/Pager.php | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/includes/Pager.php b/includes/Pager.php
index 7df8499811..dea216793a 100644
--- a/includes/Pager.php
+++ b/includes/Pager.php
@@ -750,18 +750,16 @@ abstract class TablePager extends IndexPager {
 	}
 
 	function formatRow( $row ) {
-		$rowClass = htmlspecialchars( $this->getRowClass( $row ) );
-		$s = "<tr class=\"$rowClass\">\n";
+		$this->mCurrentRow = $row;  	# In case formatValue etc need to know
+		$s = Xml::openElement( 'tr', $this->getRowAttrs($row) );
 		$fieldNames = $this->getFieldNames();
-		$this->mCurrentRow = $row;  # In case formatValue needs to know
 		foreach ( $fieldNames as $field => $name ) {
 			$value = isset( $row->$field ) ? $row->$field : null;
 			$formatted = strval( $this->formatValue( $field, $value ) );
 			if ( $formatted == '' ) {
 				$formatted = '&nbsp;';
 			}
-			$class = 'TablePager_col_' . htmlspecialchars( $field );
-			$s .= "<td class=\"$class\">$formatted</td>\n";
+			$s .= Xml::tags( 'td', $this->getCellAttrs( $field, $value ), $formatted );
 		}
 		$s .= "</tr>\n";
 		return $s;
@@ -771,10 +769,31 @@ abstract class TablePager extends IndexPager {
 	 * Get a class name to be applied to the given row.
 	 * @param object $row The database result row
 	 */
-	function getRowClass($row) {
+	function getRowClass( $row ) {
 		return '';
 	}
 
+	/**
+	 * Get attributes to be applied to the given row.
+	 * @param object $row The database result row
+	 * @return associative array
+	 */
+	function getRowAttrs( $row ) {
+		return array( 'class' => $this->getRowClass( $row ) );
+	}
+
+	/**
+	 * Get any extra attributes to be applied to the given cell. Don't 
+	 * take this as an excuse to hardcode styles; use classes and 
+	 * CSS instead.  Row context is available in $this->mCurrentRow
+	 * @param $field The column
+	 * @param $value The cell contents
+	 * @return associative array
+	 */
+	function getCellAttrs( $field, $value ) {
+		return array( 'class' => 'TablePager_col_' . $field );
+	}
+
 	function getIndexField() {
 		return $this->mSort;
 	}
-- 
2.20.1