their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
token.
+* (T156184) SECURITY: Escape content model/format url parameter in message.
=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=login,
throw new ErrorPageError(
'editpage-invalidcontentmodel-title',
'editpage-invalidcontentmodel-text',
- [ $this->contentModel ]
+ [ wfEscapeWikiText( $this->contentModel ) ]
);
}
throw new ErrorPageError(
'editpage-notsupportedcontentformat-title',
'editpage-notsupportedcontentformat-text',
- [ $this->contentFormat, ContentHandler::getLocalizedName( $this->contentModel ) ]
+ [
+ wfEscapeWikiText( $this->contentFormat ),
+ wfEscapeWikiText( ContentHandler::getLocalizedName( $this->contentModel ) )
+ ]
);
}