User "Brion VIBBER" posted a comment on MediaWiki.r89284.
Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/89284#c17558
Commit summary:
changing some var names to reflect current naming, fixing some tabs, adding
some comments
Comment:
This looks pretty wrong:
<pre>
+ $eNoticeName = htmlspecialchars( $noticeName );
$row = $dbr->selectRow( 'cn_notices', 'not_id', array(
'not_name' => $eNoticeName ) );
</pre>
This looks to have actually regressed originally in r42333... where actually it
was also wrong (calling mysql_real_escape_string() and then passing that into
the wrappers for additional escaping). There seem to be a few other instances
of using htmlspecialchars() on notice names before pass them into DB wrappers
here; in getNoticeProjects, getNoticeLanguages, getNoticeCountries at least.
_______________________________________________
MediaWiki-CodeReview mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
