Sanitize $limitReport before outputting

Prevents possible injection of "-->" and other HTML by extensions using
the ParserLimitReport hook.

bug: 46084
Change-Id: Id97b6668da6df3e5e4c0acefffa00c82cac3c44a

diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index 0247d3e..3ada925 100644 (file)
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -501,6 +501,11 @@ class Parser {
                                "Highest expansion depth: {$this->mHighestExpansionDepth}/{$this->mOptions->getMaxPPExpandDepth()}\n" .
                                $PFreport;
                        wfRunHooks( 'ParserLimitReport', array( $this, &$limitReport ) );
+
+                       // Sanitize for comment. Note '‐' in the replacement is U+2010,
+                       // which looks much like the problematic '-'.
+                       $limitReport = str_replace( array( '-', '&' ), array( '‐', '&' ), $limitReport );
+
                        $text .= "\n<!-- \n$limitReport-->\n";
 
                        if ( $this->mGeneratedPPNodeCount > $this->mOptions->getMaxGeneratedPPNodeCount() / 10 ) {