On 26/06/06, Nick Jenkins nickpj@gmail.com wrote:
Don't worry about it, it's an extremely easy thing to miss. It's also partially the name of the variable, $ip, and its implications, as we expect IP addresses to be things like "12.34.56.32", and we simply don't expect an IP address to contain things like '"><script>'.
No, I should know better; what caused it was damn confusion over the bloody wfMsg* functions. I forgot that wfMsgWikiHtml() doesn't escape parameters.
Rob Church