Live fix: escape <, >, and " chars that sneak into tables, etc due to parser ordering...

[lhc/web/wiklou.git] / includes / Sanitizer.php

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 45f7a49..37b2389 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -577,6 +577,9 @@ class Sanitizer {
                        # Templates and links may be expanded in later parsing,
                        # creating invalid or dangerous output. Suppress this.
                        $value = strtr( $value, array(
+                               '<'    => '&lt;',   // This should never happen,
+                               '>'    => '&gt;',   // we've received invalid input
+                               '"'    => '&quot;', // which should have been escaped.
                                '{'    => '&#123;',
                                '['    => '&#91;',
                                "''"   => '&#39;&#39;',