https://bugzilla.wikimedia.org/show_bug.cgi?id=18620
--- Comment #3 from Roan Kattouw <[email protected]> 2009-04-29 12:58:33 UTC --- (In reply to comment #2) > You mean the hack? TBH I didn't actually try it, I knew what I needed and what > was available in TablePager, and gave up in disgust. Whoever wrote that > comment > in CodeReview was right, the function wasn't particularly accessible. The > positioning of the $this->mCurrentRow=$row; line is just stupid. > > Or do you mean the patch? :-S > No, I meant the HTML injection hack. I hadn't even looked at the patch yet. Now that I have: $td = Xml::openElement( 'td', $this->getCellAttrs($field,$value) ); $s .= "$td $formatted </td>"; You should simply use: $s .= Xml::element( 'td', $this->getCellAttrs( $field, $value ), $formatted ); (or Xml::tags() if $formatted contains HTML and should not be escaped; I couldn't tell from the patch). return array( 'class' => htmlspecialchars( $this->getRowClass( $row ) ) ); You don't need to (and shouldn't) use htmlspecialchars() here: the Xml:: functions will handle proper escaping. This way, you'll probably end up double-escaping stuff. The same applies to getCellAttrs(). -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
