From: Aryeh Gregor <simetrical@users.mediawiki.org>
Date: Fri, 18 Sep 2009 15:28:46 +0000 (+0000)
Subject: Tighten up unquoted attribute output
X-Git-Tag: 1.31.0-rc.0~39641
X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/banques/?a=commitdiff_plain;h=5c1205314ceb94050303f6dfbfafb9d462505a5a;p=lhc%2Fweb%2Fwiklou.git

Tighten up unquoted attribute output

Only affects wikis with $wgWellFormedXml = false.  In principle, the old
behavior might have permitted XSS in IE if that setting is false (which
is not the default), but I haven't checked.  See
<http://code.google.com/p/html5lib/issues/detail?id=92>.
---

diff --git a/includes/Html.php b/includes/Html.php
index 26c427cd66..068a9bff77 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -319,8 +319,14 @@ class Html {
 			# marks omitted, but not all.  (Although a literal " is not
 			# permitted, we don't check for that, since it will be escaped
 			# anyway.)
+			#
+			# See also research done on further characters that need to be
+			# escaped: http://code.google.com/p/html5lib/issues/detail?id=93
+			$badChars = "\\x00- '=<>`/\x{00a0}\x{1680}\x{180e}\x{180F}\x{2000}\x{2001}"
+				. "\x{2002}\x{2003}\x{2004}\x{2005}\x{2006}\x{2007}\x{2008}\x{2009}"
+				. "\x{200A}\x{2028}\x{2029}\x{202F}\x{205F}\x{3000}";
 			if ( $wgWellFormedXml || $value === ''
-			|| preg_match( "/[ '=<>]/", $value ) ) {
+			|| preg_match( "![$badChars]!u", $value ) ) {
 				$quote = '"';
 			} else {
 				$quote = '';