Be a little more careful about escaping displayed usernames

diff --git a/includes/PageHistory.php b/includes/PageHistory.php
index 56f673f..3eeaa9d 100644 (file)
--- a/includes/PageHistory.php
+++ b/includes/PageHistory.php
@@ -162,10 +162,10 @@ class PageHistory {
 
                if ( 0 == $u ) {
                        $ul = $this->mSkin->makeKnownLink( $wgLang->specialPage( "Contributions" ),
-                               $ut, "target=" . $ut );
+                               htmlspecialchars( $ut ), "target=" . urlencode( $ut ) );
                } else { 
                        $ul = $this->mSkin->makeLink( $wgLang->getNsText(
-                               Namespace::getUser() ) . ":{$ut}", $ut );
+                               Namespace::getUser() ) . ":{$ut}", htmlspecialchars( $ut ) );
                }
 
                $s = "<li>";

diff --git a/includes/SpecialContributions.php b/includes/SpecialContributions.php
index 9156814..0dcd5eb 100644 (file)
--- a/includes/SpecialContributions.php
+++ b/includes/SpecialContributions.php
@@ -33,7 +33,7 @@ function wfSpecialContributions( $par = "" )
        if ( 0 == $id ) {
                $ul = $nt->getText();
        } else {
-               $ul = $sk->makeLinkObj( $nt, $nt->getText() );
+               $ul = $sk->makeLinkObj( $nt, htmlspecialchars( $nt->getText() ) );
                $userCond = "=" . $id;
        }
        $talk = $nt->getTalkPage();