CSteipp has uploaded a new change for review. https://gerrit.wikimedia.org/r/201037
Change subject: SECURITY: Escape > in Html::expandAttributes ...................................................................... SECURITY: Escape > in Html::expandAttributes Escape > characters in attributes, so we don't confuse post-processing, like LanguageConverter. Bug: T73394 Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72 --- M includes/Html.php M tests/parser/parserTests.txt 2 files changed, 7 insertions(+), 4 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/37/201037/1 diff --git a/includes/Html.php b/includes/Html.php index 2187b5b..7fa901f 100644 --- a/includes/Html.php +++ b/includes/Html.php @@ -525,17 +525,20 @@ } else { # Apparently we need to entity-encode \n, \r, \t, although the # spec doesn't mention that. Since we're doing strtr() anyway, - # and we don't need <> escaped here, we may as well not call - # htmlspecialchars(). + # we may as well not call htmlspecialchars(). # @todo FIXME: Verify that we actually need to # escape \n\r\t here, and explain why, exactly. # # We could call Sanitizer::encodeAttribute() for this, but we # don't because we're stubborn and like our marginal savings on # byte size from not having to encode unnecessary quotes. + # The only difference between this transform and the one by + # Sanitizer::encodeAttribute() is '<' is only encoded here if + # $wgWellFormedXml is set, and ' is not encoded. $map = array( '&' => '&', '"' => '"', + '>' => '>', "\n" => ' ', "\r" => ' ', "\t" => '	' diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt index c833ef0..22fe118 100644 --- a/tests/parser/parserTests.txt +++ b/tests/parser/parserTests.txt @@ -4506,7 +4506,7 @@ <li class="toclevel-1 tocsection-5"><a href="#text_.22_text"><span class="tocnumber">5</span> <span class="toctext">text " text</span></a></li> </ul> </td></tr></table> -<h2><span class="editsection">[<a href="/index.php?title=Parser_test&action=edit&section=1" title="Edit section: text > text">edit</a>]</span> <span class="mw-headline" id="text_.3E_text"> text > text </span></h2> +<h2><span class="editsection">[<a href="/index.php?title=Parser_test&action=edit&section=1" title="Edit section: text > text">edit</a>]</span> <span class="mw-headline" id="text_.3E_text"> text > text </span></h2> <p>section 1 </p> <h2><span class="editsection">[<a href="/index.php?title=Parser_test&action=edit&section=2" title="Edit section: text < text">edit</a>]</span> <span class="mw-headline" id="text_.3C_text"> text < text </span></h2> @@ -9165,7 +9165,7 @@ </ul> </td></tr></table> <h2><span class="editsection">[<a href="/index.php?title=Parser_test&action=edit&section=1" title="Edit section: Hello">edit</a>]</span> <span class="mw-headline" id="Hello"> <sup class="in-h2">Hello</sup> </span></h2> -<h2><span class="editsection">[<a href="/index.php?title=Parser_test&action=edit&section=2" title="Edit section: b">Evilbye">edit</a>]</span> <span class="mw-headline" id="b.22.3EEvilbye"> <sup> b">Evilbye</sup> </span></h2> +<h2><span class="editsection">[<a href="/index.php?title=Parser_test&action=edit&section=2" title="Edit section: b">Evilbye">edit</a>]</span> <span class="mw-headline" id="b.22.3EEvilbye"> <sup> b">Evilbye</sup> </span></h2> !! end -- To view, visit https://gerrit.wikimedia.org/r/201037 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_19 Gerrit-Owner: CSteipp <cste...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits