From: Tim Starling <tstarling@users.mediawiki.org>
Date: Wed, 1 Apr 2009 08:50:57 +0000 (+0000)
Subject: In OutputPage::addScriptFile(): escape attributes for HTML. No XSS, just good practice.
X-Git-Tag: 1.31.0-rc.0~42255
X-Git-Url: https://git.cyclocoop.org/%7B%24admin_url%7Dmembres/modifier.php?a=commitdiff_plain;h=43f0ff44697a6c77800030f53ffeee67b5b71e50;p=lhc%2Fweb%2Fwiklou.git

In OutputPage::addScriptFile(): escape attributes for HTML. No XSS, just good practice.
---

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index ed9a43d3f5..39a248feb1 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -103,7 +103,15 @@ class OutputPage {
 		} else {
 			$path =  "{$wgStylePath}/common/{$file}";
 		}
-		$this->addScript( "<script type=\"{$wgJsMimeType}\" src=\"$path?$wgStyleVersion\"></script>\n" );
+		$this->addScript( 
+			Xml::element( 'script', 
+				array(
+					'type' => $wgJsMimeType,
+					'src' => "$path?$wgStyleVersion",
+				),
+				'', false
+			)
+		);	
 	}
 	
 	/**