From: Wil Mahan <wmahan@users.mediawiki.org>
Date: Tue, 5 Oct 2004 04:13:14 +0000 (+0000)
Subject: Instead of calling htmlspecialchars() on image alt text,
X-Git-Tag: 1.5.0alpha1~1653
X-Git-Url: http://git.cyclocoop.org/url?a=commitdiff_plain;h=8ccd7f0469c4c93f1d8fe4f3776e8b79389740ea;p=lhc%2Fweb%2Fwiklou.git

Instead of calling htmlspecialchars() on image alt text,
escape special chars while being careful not to double-
escape '&' in character entities. Fixes bug 499.
---

diff --git a/includes/Skin.php b/includes/Skin.php
index 3e4af78173..652149aa75 100644
--- a/includes/Skin.php
+++ b/includes/Skin.php
@@ -1774,7 +1774,8 @@ class Skin {
 			$alt = preg_replace( '/\.(.+?)^/', '', $img->getName() );
 		}
 		$alt = preg_replace( '/<[^>]*>/', '', $alt );
-		$alt = htmlspecialchars( $alt );
+		$alt = preg_replace('/&(?!:amp;|#[Xx][0-9A-fa-f]+;|#[0-9]+;|[a-zA-Z0-9]+;)/', '&amp;', $alt);
+		$alt = str_replace( array('<', '>', '"'), array('&lt;', '&gt;', '&quot;'), $alt );
 
 		$u = $nt->escapeLocalURL();
 		if ( $url == '' )
@@ -1802,7 +1803,8 @@ class Skin {
 
 		#$label = htmlspecialchars( $label );
 		$alt = preg_replace( '/<[^>]*>/', '', $label);
-		$alt = htmlspecialchars( $alt );
+		$alt = preg_replace('/&(?!:amp;|#[Xx][0-9A-fa-f]+;|#[0-9]+;|[a-zA-Z0-9]+;)/', '&amp;', $alt);
+		$alt = str_replace( array('<', '>', '"'), array('&lt;', '&gt;', '&quot;'), $alt );
 
 		$width = $height = 0;
 		if ( $img->exists() )