This was caused by the value of getHtmlCode() being injected directly
into HTML without escaping. Despite its name, the return value of
getHtmlCode() is not actually HTML-safe.
Fixed by escaping the language code, wrapping it in double quotes
instead of single quotes, and explicitly documenting that getHtmlCode()
and getCode() do not return HTML-safe values.
Change-Id: I3a908484ba3d4999d7a61ac162617144ca7e703a
$tpl->set( 'specialpageattributes', '' ); # obsolete
if ( $userlang !== $wgContLang->getHtmlCode() || $userdir !== $wgContLang->getDir() ) {
- $attrs = " lang='$userlang' dir='$userdir'";
+ $escUserlang = htmlspecialchars( $userlang );
+ $escUserdir = htmlspecialchars( $userdir );
+ // Attributes must be in double quotes because htmlspecialchars() doesn't
+ // escape single quotes
+ $attrs = " lang=\"$escUserlang\" dir=\"$escUserdir\"";
$tpl->set( 'userlangattributes', $attrs );
}
/**
* Get the RFC 3066 code for this language object
*
+ * NOTE: The return value of this function is NOT HTML-safe and must be escaped with
+ * htmlspecialchars() or similar
+ *
* @return string
*/
public function getCode() {
/**
* Get the code in Bcp47 format which we can use
* inside of html lang="" tags.
+ *
+ * NOTE: The return value of this function is NOT HTML-safe and must be escaped with
+ * htmlspecialchars() or similar.
+ *
* @since 1.19
* @return string
*/