* (bug 19784) date option "ISO 8601" produced illegal id

Now running auto-generated id/names for radio group items through Sanitizer::escapeId().
For good measure, also manually checking the input 'name' and 'id' field values for base fields against validation and throwing an exception if we ain't got em.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index ed2a513..bf625ed 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -289,6 +289,7 @@ this. Was used when mwEmbed was going to be an extension.
   standard, nostalgia and cologneblue skin
 * (bug 19814) interwiki links from file links ([[File:Foo.jpg|link=de:Test]])
   are no longer recorded in the pagelinks table
+* (bug 19784) date option "ISO 8601" produced illegal id
 
 == API changes in 1.16 ==
 

diff --git a/includes/HTMLForm.php b/includes/HTMLForm.php
index f634c5b..9cf212e 100644 (file)
--- a/includes/HTMLForm.php
+++ b/includes/HTMLForm.php
@@ -407,8 +407,13 @@ abstract class HTMLFormField {
                }
 
                if ( isset( $params['name'] ) ) {
-                       $this->mName = 'wp'.$params['name'];
-                       $this->mID = 'mw-input-'.$params['name'];
+                       $name = $params['name'];
+                       $validName = Sanitizer::escapeId( $name );
+                       if( $name != $validName ) {
+                               throw new MWException("Invalid name '$name' passed to " . __METHOD__ );
+                       }
+                       $this->mName = 'wp'.$name;
+                       $this->mID = 'mw-input-'.$name;
                }
 
                if ( isset( $params['default'] ) ) {
@@ -416,7 +421,12 @@ abstract class HTMLFormField {
                }
 
                if ( isset( $params['id'] ) ) {
-                       $this->mID = $params['id'];
+                       $id = $params['id'];
+                       $validId = Sanitizer::escapeId( $id );
+                       if( $id != $validId ) {
+                               throw new MWException("Invalid id '$id' passed to " . __METHOD__ );
+                       }
+                       $this->mID = $id;
                }
 
                if ( isset( $params['validation-callback'] ) ) {
@@ -811,10 +821,11 @@ class HTMLRadioField extends HTMLFormField {
                                $html .= Xml::tags( 'h1', null, $label ) . "\n";
                                $html .= $this->formatOptions( $info, $value );
                        } else {
+                               $id = Sanitizer::escapeId( $this->mID . "-$info" );
                                $html .= Xml::radio( $this->mName, $info, $info == $value,
-                                                                               $attribs + array( 'id' => $this->mID . "-$info" ) );
+                                                                               $attribs + array( 'id' => $id ) );
                                $html .= ' ' .
-                                               Xml::tags( 'label', array( 'for' => $this->mID . "-$info" ), $label );
+                                               Xml::tags( 'label', array( 'for' => $id ), $label );
 
                                $html .= "<br/>\n";
                        }