From f06864bce857e1fe847607c90da6e8f88188bd1f Mon Sep 17 00:00:00 2001
From: =?utf8?q?Niklas=20Laxstr=C3=B6m?= <niklas.laxstrom@gmail.com>
Date: Thu, 28 Jun 2012 14:52:56 +0000
Subject: [PATCH] (bug 37587) Enforce language codes to be html safe

Fixes bug 37587 and many other issues which
might or might not have been reported yet.

Change-Id: I612b90931a0261990bcd294fdb12cfba930c8c2f
---
 languages/Language.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/languages/Language.php b/languages/Language.php
index b531f2a376..4d73acb6ad 100644
--- a/languages/Language.php
+++ b/languages/Language.php
@@ -246,7 +246,11 @@ class Language {
 	 */
 	public static function isValidCode( $code ) {
 		return
-			strcspn( $code, ":/\\\000" ) === strlen( $code )
+			// People think language codes are html safe, so enforce it.
+			// Ideally we should only allow a-zA-Z0-9-
+			// but, .+ and other chars are often used for {{int:}} hacks
+			// see bugs 37564, 37587, 36938
+			strcspn( $code, ":/\\\000&<>'\"" ) === strlen( $code )
 			&& !preg_match( Title::getTitleInvalidRegex(), $code );
 	}
 
-- 
2.20.1