From: Brion Vibber <brion@users.mediawiki.org>
Date: Wed, 2 Jul 2008 01:19:00 +0000 (+0000)
Subject: Some cleanup for r36609:
X-Git-Tag: 1.31.0-rc.0~46817
X-Git-Url: https://git.cyclocoop.org/%242?a=commitdiff_plain;h=f54ec4339e0579510f786b949a0b2d87ab4e61b2;p=lhc%2Fweb%2Fwiklou.git

Some cleanup for r36609:
$url and $alt parameters in makeExternalImage() are now normalized to be escaped on output instead of before they reach the function. This ensures that any hooks processing them won't accidentally send plaintext which might become an injection vector, or just get confused on pre-escaped input they didn't expect.
---

diff --git a/includes/Linker.php b/includes/Linker.php
index b2aeb5aba6..5da07ba225 100644
--- a/includes/Linker.php
+++ b/includes/Linker.php
@@ -478,7 +478,7 @@ class Linker {
 		} else {
 			$basename = substr( $basename, 1 );
 		}
-		return htmlspecialchars( $basename );
+		return $basename;
 	}
 
 	/** Obsolete alias */
@@ -497,8 +497,10 @@ class Linker {
 			wfDebug("Hook LinkerMakeExternalImage changed the output of external image with url {$url} and alt text {$alt} to {$img}", true);
 			return $img;
 		}
-		$s = '<img src="'.$url.'" alt="'.$alt.'" />';
-		return $s;
+		return Xml::element( 'img',
+			array(
+				'src' => $url,
+				'alt' => $alt ) );
 	}
 
 	/**
diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index 48cfebdc27..f7235255ff 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -1468,7 +1468,7 @@ class Parser
 		     || ( $imagesexception && strpos( $url, $imagesfrom ) === 0 ) ) {
 			if ( preg_match( self::EXT_IMAGE_REGEX, $url ) ) {
 				# Image found
-				$text = $sk->makeExternalImage( htmlspecialchars( $url ) );
+				$text = $sk->makeExternalImage( $url );
 			}
 		}
 		return $text;
diff --git a/includes/parser/Parser_OldPP.php b/includes/parser/Parser_OldPP.php
index 0d0394a5de..487d3ffdfd 100644
--- a/includes/parser/Parser_OldPP.php
+++ b/includes/parser/Parser_OldPP.php
@@ -1495,7 +1495,7 @@ class Parser_OldPP
 		     || ( $imagesexception && strpos( $url, $imagesfrom ) === 0 ) ) {
 			if ( preg_match( self::EXT_IMAGE_REGEX, $url ) ) {
 				# Image found
-				$text = $sk->makeExternalImage( htmlspecialchars( $url ) );
+				$text = $sk->makeExternalImage( $url );
 			}
 		}
 		return $text;