$url and $alt parameters in makeExternalImage() are now normalized to be escaped on output instead of before they reach the function. This ensures that any hooks processing them won't accidentally send plaintext which might become an injection vector, or just get confused on pre-escaped input they didn't expect.
} else {
$basename = substr( $basename, 1 );
}
- return htmlspecialchars( $basename );
+ return $basename;
}
/** Obsolete alias */
wfDebug("Hook LinkerMakeExternalImage changed the output of external image with url {$url} and alt text {$alt} to {$img}", true);
return $img;
}
- $s = '<img src="'.$url.'" alt="'.$alt.'" />';
- return $s;
+ return Xml::element( 'img',
+ array(
+ 'src' => $url,
+ 'alt' => $alt ) );
}
/**
|| ( $imagesexception && strpos( $url, $imagesfrom ) === 0 ) ) {
if ( preg_match( self::EXT_IMAGE_REGEX, $url ) ) {
# Image found
- $text = $sk->makeExternalImage( htmlspecialchars( $url ) );
+ $text = $sk->makeExternalImage( $url );
}
}
return $text;
|| ( $imagesexception && strpos( $url, $imagesfrom ) === 0 ) ) {
if ( preg_match( self::EXT_IMAGE_REGEX, $url ) ) {
# Image found
- $text = $sk->makeExternalImage( htmlspecialchars( $url ) );
+ $text = $sk->makeExternalImage( $url );
}
}
return $text;