[MediaWiki-commits] [Gerrit] SECURITY: Make < and > be escaped in attribute values in Htm... - change (mediawiki/core)

[Mglaser (Code Review)]

Mglaser has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/176167

Change subject: SECURITY: Make < and > be escaped in attribute values in 
Html::expandAttributes
......................................................................

SECURITY: Make < and > be escaped in attribute values in Html::expandAttributes

This makes the code just use Sanitizer::encodeAttribute, which in
addition to that, also escapes single quote marks.

Change-Id: I4895d2b489d62e27cf033835e3b49f069fbd7b48
---
M includes/Html.php
1 file changed, 4 insertions(+), 24 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/67/176167/1

diff --git a/includes/Html.php b/includes/Html.php
index b1d4f00..ac0aa49 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -529,30 +529,10 @@
                                        $ret .= " $key=\"\"";
                                }
                        } else {
-                               // Apparently we need to entity-encode \n, \r, 
\t, although the
-                               // spec doesn't mention that.  Since we're 
doing strtr() anyway,
-                               // and we don't need <> escaped here, we may as 
well not call
-                               // htmlspecialchars().
-                               // @todo FIXME: Verify that we actually need to
-                               // escape \n\r\t here, and explain why, exactly.
-                               #
-                               // We could call Sanitizer::encodeAttribute() 
for this, but we
-                               // don't because we're stubborn and like our 
marginal savings on
-                               // byte size from not having to encode 
unnecessary quotes.
-                               $map = array(
-                                       '&' => '&amp;',
-                                       '"' => '&quot;',
-                                       "\n" => '&#10;',
-                                       "\r" => '&#13;',
-                                       "\t" => '&#9;'
-                               );
-                               if ( $wgWellFormedXml ) {
-                                       // This is allowed per spec: 
<http://www.w3.org/TR/xml/#NT-AttValue>
-                                       // But reportedly it breaks some XML 
tools?
-                                       // @todo FIXME: Is this really true?
-                                       $map['<'] = '&lt;';
-                               }
-                               $ret .= " $key=$quote" . strtr( $value, $map ) 
. $quote;
+                               // Note: It's important to encode < and >, even 
if its not
+                               // required in this context, due to how 
language converter
+                               // works.
+                               $ret .= " $key=$quote" . 
Sanitizer::encodeAttribute( $value ) . $quote;
                        }
                }
                return $ret;

-- 
To view, visit https://gerrit.wikimedia.org/r/176167
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4895d2b489d62e27cf033835e3b49f069fbd7b48
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: Mglaser <gla...@hallowelt.biz>
Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits