[MediaWiki-commits] [Gerrit] Sanitize $limitReport before outputting - change (mediawiki/core)

Tue, 16 Apr 2013 08:54:09 -0700 

jenkins-bot has submitted this change and it was merged.

Change subject: Sanitize $limitReport before outputting
......................................................................


Sanitize $limitReport before outputting

Prevents possible injection of "-->" and other HTML by extensions using
the ParserLimitReport hook.

bug: 46084
Change-Id: Id97b6668da6df3e5e4c0acefffa00c82cac3c44a
(cherry picked from commit 69f96f65dd99e54b84e489e7d957b7526653474c)
---
M includes/parser/Parser.php
1 file changed, 5 insertions(+), 0 deletions(-)

Approvals:
  MarkAHershberger: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index 99042ae..0b494c2 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -501,6 +501,11 @@
                                "Highest expansion depth: 
{$this->mHighestExpansionDepth}/{$this->mOptions->getMaxPPExpandDepth()}\n" .
                                $PFreport;
                        wfRunHooks( 'ParserLimitReport', array( $this, 
&$limitReport ) );
+
+                       // Sanitize for comment. Note '‐' in the replacement is 
U+2010,
+                       // which looks much like the problematic '-'.
+                       $limitReport = str_replace( array( '-', '&' ), array( 
'‐', '&' ), $limitReport );
+
                        $text .= "\n<!-- \n$limitReport-->\n";
 
                        if ( $this->mGeneratedPPNodeCount > 
$this->mOptions->getMaxGeneratedPPNodeCount() / 10 ) {

-- 
To view, visit https://gerrit.wikimedia.org/r/59375
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Id97b6668da6df3e5e4c0acefffa00c82cac3c44a
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_21
Gerrit-Owner: PleaseStand <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: Daniel Friesen <[email protected]>
Gerrit-Reviewer: MarkAHershberger <[email protected]>
Gerrit-Reviewer: jenkins-bot

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to