From 644f1d90671ee067f8492b9f48cc004051c121c5 Mon Sep 17 00:00:00 2001
From: Jens Frank <jeluf@users.mediawiki.org>
Date: Sun, 29 Aug 2004 19:07:18 +0000
Subject: [PATCH] BUG#244 Backed out changes done in Patch 1.33 due to major
 security problems. HTML tags were not escaped and it was possible to execute
 arbitrary javascript code

---
 includes/DifferenceEngine.php | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/includes/DifferenceEngine.php b/includes/DifferenceEngine.php
index 3bc8269938..f4a3a9f8ca 100644
--- a/includes/DifferenceEngine.php
+++ b/includes/DifferenceEngine.php
@@ -211,8 +211,8 @@ class DifferenceEngine {
 	{
 		global $wgOut, $wgUseExternalDiffEngine;
 
-		$otext = str_replace( "\r\n", "\n", $otext );
-		$ntext = str_replace( "\r\n", "\n", $ntext );
+		$otext = str_replace( "\r\n", "\n", htmlspecialchars( $otext ) );
+		$ntext = str_replace( "\r\n", "\n", htmlspecialchars( $ntext ) );
 
 
 			$wgOut->addHTML( "<table border='0' width='98%'
@@ -1154,11 +1154,11 @@ class _HWLDF_WordAccumulator {
 
 	function _flushGroup ($new_tag) {
 		if ($this->_group !== '') {
-			if ($this->_tag == 'mark')
-				$this->_line .= '<span class="diffchange">'.htmlspecialchars ( $this->_group ).'</span>';
-			else
-				$this->_line .= htmlspecialchars ( $this->_group );
-		}
+	  if ($this->_tag == 'mark')
+			$this->_line .= '<span class="diffchange">'.$this->_group.'</span>';
+	  else
+		$this->_line .= $this->_group;
+	}
 		$this->_group = '';
 		$this->_tag = $new_tag;
 	}
@@ -1166,9 +1166,7 @@ class _HWLDF_WordAccumulator {
 	function _flushLine ($new_tag) {
 		$this->_flushGroup($new_tag);
 		if ($this->_line != '')
-			array_push ( $this->_lines, $this->_line );
-		else
-			array_push ( $this->_lines, NBSP );
+			$this->_lines[] = $this->_line;
 		$this->_line = '';
 	}
 
@@ -1181,6 +1179,7 @@ class _HWLDF_WordAccumulator {
 			if ($word == '')
 				continue;
 			if ($word[0] == "\n") {
+				$this->_group .= NBSP;
 				$this->_flushLine($tag);
 				$word = substr($word, 1);
 			}
@@ -1207,6 +1206,8 @@ class WordLevelDiff extends MappedDiff
 	}
 
 	function _split($lines) {
+		// FIXME: fix POSIX char class.
+#		 if (!preg_match_all('/ ( [^\S\n]+ | [[:alnum:]]+ | . ) (?: (?!< \n) [^\S\n])? /xs',
 		if (!preg_match_all('/ ( [^\S\n]+ | [0-9_A-Za-z\x80-\xff]+ | . ) (?: (?!< \n) [^\S\n])? /xs',
 							implode("\n", $lines),
 							$m)) {
@@ -1256,7 +1257,7 @@ class TableDiffFormatter extends DiffFormatter
 		$l2 = wfMsg( 'lineno', $ybeg );
 
 		$r = '<tr><td colspan="2" align="left"><strong>'.$l1."</strong></td>\n" .
-			'<td colspan="2" align="left"><strong>'.$l2."</strong></td></tr>\n";
+		  '<td colspan="2" align="left"><strong>'.$l2."</strong></td></tr>\n";
 		return $r;
 	}
 
@@ -1273,12 +1274,12 @@ class TableDiffFormatter extends DiffFormatter
 
 	function addedLine( $line ) {
 		return '<td>+</td><td class="diff-addedline">' .
-			$line . '</td>';
+		  $line.'</td>';
 	}
 
 	function deletedLine( $line ) {
 		return '<td>-</td><td class="diff-deletedline">' .
-			$line . '</td>';
+		  $line.'</td>';
 	}
 
 	function emptyLine() {
@@ -1286,22 +1287,21 @@ class TableDiffFormatter extends DiffFormatter
 	}
 
 	function contextLine( $line ) {
-		return '<td> </td><td class="diff-context">' .
-			htmlspecialchars ( $line ) . '</td>';
+		return '<td> </td><td class="diff-context">'.$line.'</td>';
 	}
 
 	function _added($lines) {
 		global $wgOut;
 		foreach ($lines as $line) {
 			$wgOut->addHTML( '<tr>' . $this->emptyLine() .
-			  $this->addedLine( htmlspecialchars ( $line ) ) . "</tr>\n" );
+			  $this->addedLine( $line ) . "</tr>\n" );
 		}
 	}
 
 	function _deleted($lines) {
 		global $wgOut;
 		foreach ($lines as $line) {
-			$wgOut->addHTML( '<tr>' . $this->deletedLine( htmlspecialchars ( $line ) ) .
+			$wgOut->addHTML( '<tr>' . $this->deletedLine( $line ) .
 			  $this->emptyLine() . "</tr>\n" );
 		}
 	}
-- 
2.20.1


'.$l1."		'.$l2."
'.$l2."
+	' . - $line . '	-	' . - $line . '	' . - htmlspecialchars ( $line ) . '	'.$line.'