SECURITY: Disable <html> tag on system messages despite $wgRawHtml = true;

[lhc/web/wiklou.git] / includes / cache / MessageCache.php

diff --git a/includes/cache/MessageCache.php b/includes/cache/MessageCache.php
index 4facc20..70e1d9a 100644 (file)
--- a/includes/cache/MessageCache.php
+++ b/includes/cache/MessageCache.php
@@ -191,11 +191,16 @@ class MessageCache {
                                // either.
                                $po = ParserOptions::newFromAnon();
                                $po->setEditSection( false );
+                               $po->setAllowUnsafeRawHtml( false );
                                return $po;
                        }
 
                        $this->mParserOptions = new ParserOptions;
                        $this->mParserOptions->setEditSection( false );
+                       // Messages may take parameters that could come
+                       // from malicious sources. As a precaution, disable
+                       // the <html> parser tag when parsing messages.
+                       $this->mParserOptions->setAllowUnsafeRawHtml( false );
                }
 
                return $this->mParserOptions;
@@ -508,7 +513,7 @@ class MessageCache {
 
                $res = $dbr->select(
                        [ 'page', 'revision', 'text' ],
-                       [ 'page_title', 'old_text', 'old_flags' ],
+                       [ 'page_title', 'old_id', 'old_text', 'old_flags' ],
                        $smallConds,
                        __METHOD__ . "($code)-small"
                );