https://www.mediawiki.org/wiki/Special:Code/MediaWiki/108320
Revision: 108320
Author: ashley
Date: 2012-01-07 15:09:34 +0000 (Sat, 07 Jan 2012)
Log Message:
-----------
Comments: follow-up to r108295: XSS fix
Modified Paths:
--------------
trunk/extensions/Comments/SpecialCommentIgnoreList.php
Modified: trunk/extensions/Comments/SpecialCommentIgnoreList.php
===================================================================
--- trunk/extensions/Comments/SpecialCommentIgnoreList.php 2012-01-07
15:09:26 UTC (rev 108319)
+++ trunk/extensions/Comments/SpecialCommentIgnoreList.php 2012-01-07
15:09:34 UTC (rev 108320)
@@ -42,6 +42,7 @@
$out .= $this->displayCommentBlockList();
} else {
if( $wgRequest->wasPosted() ) {
+ $user_name = htmlspecialchars_decode(
$user_name );
$user_id = User::idFromName( $user_name );
// Anons can be comment-blocked, but idFromName
returns nothing
// for an anon, so...
@@ -112,9 +113,9 @@
wfMsg( 'comment-ignore-remove-message',
$user_name ) .
'</div>
<div>
- <form action="" method="post"
name="comment_block">
- <input type="hidden" name="user"
value="' . $user_name . '" />
- <input type="button"
class="site-button" value="' . wfMsg( 'comment-ignore-unblock' ) . '"
onclick="document.comment_block.submit()" />
+ <form action="" method="post"
name="comment_block">' .
+ Html::hidden( 'user', htmlspecialchars(
$user_name, ENT_QUOTES ) ) .
+ '<input type="button"
class="site-button" value="' . wfMsg( 'comment-ignore-unblock' ) . '"
onclick="document.comment_block.submit()" />
<input type="button"
class="site-button" value="' . wfMsg( 'comment-ignore-cancel' ) . '"
onclick="history.go(-1)" />
</form>
</div>';
_______________________________________________
MediaWiki-CVS mailing list
MediaWiki-CVS@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
