[MediaWiki-commits] [Gerrit] Escaping titles on revision history and diff pages - change (mediawiki...Wikibase)

[jenkins-bot (Code Review)]

jenkins-bot has submitted this change and it was merged.

Change subject: Escaping titles on revision history and diff pages
......................................................................


Escaping titles on revision history and diff pages

(bug 52706)
Escaping entity labels on revision history and diff pages.

Change-Id: If6cf937596053ed298c350e5371b8dc6c9bb56cd
---
M repo/includes/actions/HistoryEntityAction.php
M repo/includes/actions/ViewEntityAction.php
2 files changed, 8 insertions(+), 2 deletions(-)

Approvals:
  Aude: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/repo/includes/actions/HistoryEntityAction.php 
b/repo/includes/actions/HistoryEntityAction.php
index 4193053..35c8700 100644
--- a/repo/includes/actions/HistoryEntityAction.php
+++ b/repo/includes/actions/HistoryEntityAction.php
@@ -86,8 +86,11 @@
                $prefixedId = ucfirst( $idPrefixer->format( $entity->getId() ) 
);
 
                if ( isset( $labelText ) ) {
+                       // Escaping HTML characters in order to retain original 
label that may contain HTML
+                       // characters. This prevents having characters 
evaluated or stripped via
+                       // OutputPage::setPageTitle:
                        return $this->msg( 'wikibase-history-title-with-label' )
-                               ->rawParams( $prefixedId, $labelText )->text();
+                               ->rawParams( $prefixedId, htmlspecialchars( 
$labelText ) )->text();
                }
                else {
                        return $this->msg( 
'wikibase-history-title-without-label' )
diff --git a/repo/includes/actions/ViewEntityAction.php 
b/repo/includes/actions/ViewEntityAction.php
index fb6fa1a..24720a1 100644
--- a/repo/includes/actions/ViewEntityAction.php
+++ b/repo/includes/actions/ViewEntityAction.php
@@ -253,6 +253,9 @@
 
                // Create and set the title.
                if ( $this->getContext()->getRequest()->getCheck( 'diff' ) ) {
+                       // Escaping HTML characters in order to retain original 
label that may contain HTML
+                       // characters. This prevents having characters 
evaluated or stripped via
+                       // OutputPage::setPageTitle:
                        $out->setPageTitle(
                                $this->msg(
                                        'difference-title'
@@ -261,7 +264,7 @@
                                        // or should set the attribute of the 
h1 to correct direction.
                                        // Still note that the direction is 
"auto" so guessing should
                                        // give the right direction in most 
cases.
-                               )->rawParams( $labelText )
+                               )->rawParams( htmlspecialchars( $labelText ) )
                        );
                } else {
                        // Prevent replacing {{...}} by using rawParams() 
instead of params():

-- 
To view, visit https://gerrit.wikimedia.org/r/92308
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: If6cf937596053ed298c350e5371b8dc6c9bb56cd
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/extensions/Wikibase
Gerrit-Branch: master
Gerrit-Owner: Henning Snater <henning.sna...@wikimedia.de>
Gerrit-Reviewer: Aude <aude.w...@gmail.com>
Gerrit-Reviewer: jenkins-bot

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits