Mglaser has uploaded a new change for review. https://gerrit.wikimedia.org/r/176167
Change subject: SECURITY: Make < and > be escaped in attribute values in Html::expandAttributes ...................................................................... SECURITY: Make < and > be escaped in attribute values in Html::expandAttributes This makes the code just use Sanitizer::encodeAttribute, which in addition to that, also escapes single quote marks. Change-Id: I4895d2b489d62e27cf033835e3b49f069fbd7b48 --- M includes/Html.php 1 file changed, 4 insertions(+), 24 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/67/176167/1 diff --git a/includes/Html.php b/includes/Html.php index b1d4f00..ac0aa49 100644 --- a/includes/Html.php +++ b/includes/Html.php @@ -529,30 +529,10 @@ $ret .= " $key=\"\""; } } else { - // Apparently we need to entity-encode \n, \r, \t, although the - // spec doesn't mention that. Since we're doing strtr() anyway, - // and we don't need <> escaped here, we may as well not call - // htmlspecialchars(). - // @todo FIXME: Verify that we actually need to - // escape \n\r\t here, and explain why, exactly. - # - // We could call Sanitizer::encodeAttribute() for this, but we - // don't because we're stubborn and like our marginal savings on - // byte size from not having to encode unnecessary quotes. - $map = array( - '&' => '&', - '"' => '"', - "\n" => ' ', - "\r" => ' ', - "\t" => '	' - ); - if ( $wgWellFormedXml ) { - // This is allowed per spec: <http://www.w3.org/TR/xml/#NT-AttValue> - // But reportedly it breaks some XML tools? - // @todo FIXME: Is this really true? - $map['<'] = '<'; - } - $ret .= " $key=$quote" . strtr( $value, $map ) . $quote; + // Note: It's important to encode < and >, even if its not + // required in this context, due to how language converter + // works. + $ret .= " $key=$quote" . Sanitizer::encodeAttribute( $value ) . $quote; } } return $ret; -- To view, visit https://gerrit.wikimedia.org/r/176167 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I4895d2b489d62e27cf033835e3b49f069fbd7b48 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_23 Gerrit-Owner: Mglaser <gla...@hallowelt.biz> Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits