From 179e0509f1a21e6cdb8f9c907522fb7408d52916 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Sat, 2 Oct 2004 20:30:04 +0000
Subject: [PATCH] * Fix for XHTML valid output * Escape text to avoid HTML
 injection

---
 extensions/UnicodeConverter.php | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/extensions/UnicodeConverter.php b/extensions/UnicodeConverter.php
index cd1966a102..1012889cb9 100644
--- a/extensions/UnicodeConverter.php
+++ b/extensions/UnicodeConverter.php
@@ -23,20 +23,20 @@ class UnicodeConverter extends SpecialPage
 
 		$q = $wgRequest->getText( 'q' );
 		$encQ = htmlspecialchars( $q );
-		$action = $wgTitle->getLocalUrl();
-		$ok = wfMsg( "ok" );
+		$action = $wgTitle->escapeLocalUrl();
+		$ok = htmlspecialchars( wfMsg( "ok" ) );
 
-		$wgOut->addHTML( "
-<form name=ucf method=post action=\"$action\">
-<textarea rows=15 cols=80 name=q>
-$encQ
-</textarea><br />
-<input type=submit name=submit value=\"$ok\"><br /><br />
-</form>" );
+		$wgOut->addHTML( <<<END
+<form name="ucf" method="post" action="$action">
+<textarea rows="15" cols="80" name="q">$encQ</textarea><br />
+<input type="submit" name="submit" value="$ok" /><br /><br />
+</form>
+END
+);
 
 		if ( !is_null( $q ) ) {
-			$html = wfUtf8ToHTML( $q );
-			$wgOut->addHTML( "\n\n\n" . nl2br( $html ) . "\n<hr>\n" .
+			$html = wfUtf8ToHTML( htmlspecialchars( $q ) );
+			$wgOut->addHTML( "\n\n\n" . nl2br( $html ) . "\n<hr />\n" .
 			  nl2br( htmlspecialchars( $html ) ) . "\n\n" );
 		}
 	}
-- 
2.20.1