SECURITY: Don't normalize U+FF3C to \

author csteipp <csteipp@wikimedia.org>

Fri, 6 Dec 2013 21:34:30 +0000 (13:34 -0800)

committer csteipp <csteipp@wikimedia.org>

Tue, 14 Jan 2014 06:08:45 +0000 (22:08 -0800)
author csteipp <csteipp@wikimedia.org>
Fri, 6 Dec 2013 21:34:30 +0000 (13:34 -0800)
committer csteipp <csteipp@wikimedia.org>
Tue, 14 Jan 2014 06:08:45 +0000 (22:08 -0800)
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php

index a6fb6d0..7461a8b 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -867,7 +867,7 @@ class Sanitizer {
  
                 // Normalize Halfwidth and Fullwidth Unicode block that IE6 might treat as ascii
                 $value = preg_replace_callback(
-                       '/[ï¼\81-ï½\9a]/u', // U+FF01 to U+FF5A
+                       '/[ï¼\81-ï¼»ï¼½-ï½\9a]/u', // U+FF01 to U+FF5A, excluding U+FF3C (bug 58088)
                         function ( $matches ) {
                                 $cp = utf8ToCodepoint( $matches[0] );
                                 if ( $cp === false ) {
author	csteipp <csteipp@wikimedia.org>
	Fri, 6 Dec 2013 21:34:30 +0000 (13:34 -0800)
committer	csteipp <csteipp@wikimedia.org>
	Tue, 14 Jan 2014 06:08:45 +0000 (22:08 -0800)