Aryeh Gregor wrote: > On Thu, Mar 26, 2009 at 3:24 PM, Ilmari Karonen <[email protected]> wrote: >> --- includes/CategoryPage.php (revision 48416) >> +++ includes/CategoryPage.php (working copy) >> @@ -189,7 +189,7 @@ >> */ >> function addPage( $title, $sortkey, $pageLength, $isRedirect = false >> ) { >> global $wgContLang; >> - $titletext = $wgContLang->convert( $title->getPrefixedText() >> ); >> + $titletext = $wgContLang->convert( $sortkey ); >> $this->articles[] = $isRedirect >> ? '<span class="redirect-in-category">' . >> $this->getSkin()->makeKnownLinkObj( $title, $titletext ) . '</span>' >> : $this->getSkin()->makeSizeLinkObj( $pageLength, >> $title, $titletext ); >> >> It would be easy to make this depend on a config option, too. If anyone >> else thinks that would be a good idea, I can commit it. > > Doesn't this introduce a trivial XSS vulnerability?
Hmm, you're right, it does -- I didn't realize the title was used unescaped. That looks uncomfortably close to an XSS vulnerability anyway. I'd feel a lot more comfortable with a htmlspecialchars() in there. (Didn't we use to allow "<" in titles not so very long ago? Certainly the feature that disallows HTML entities in titles is fairly recent.) -- Ilmari Karonen _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
