https://bugzilla.wikimedia.org/show_bug.cgi?id=64183
--- Comment #1 from Bartosz DziewoĆski <[email protected]> --- (In reply to Yaron Koren from comment #0) I'm told that > this is not correct behavior, so I'm submitting a bug for it. By whom? While it might not be the most fortunate behavior, Html::element only HTML-escapes the attributes and does not mangle their contents. You could validate user input by checking it against the list of protocols returned by wfUrlProtocols(), or using Sanitizer::validateTagAttributes() to do more thorough cleanup of other attributes as well. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
