Aryeh Gregor wrote:
On Thu, Mar 26, 2009 at 3:24 PM, Ilmari Karonen nospam@vyznev.net wrote:
--- includes/CategoryPage.php (revision 48416) +++ includes/CategoryPage.php (working copy) @@ -189,7 +189,7 @@ */ function addPage( $title, $sortkey, $pageLength, $isRedirect = false ) { global $wgContLang;
$titletext = $wgContLang->convert( $title->getPrefixedText() );
$titletext = $wgContLang->convert( $sortkey ); $this->articles[] = $isRedirect ? '<span class="redirect-in-category">' .$this->getSkin()->makeKnownLinkObj( $title, $titletext ) . '</span>' : $this->getSkin()->makeSizeLinkObj( $pageLength, $title, $titletext );
It would be easy to make this depend on a config option, too. If anyone else thinks that would be a good idea, I can commit it.
Doesn't this introduce a trivial XSS vulnerability?
Hmm, you're right, it does -- I didn't realize the title was used unescaped. That looks uncomfortably close to an XSS vulnerability anyway. I'd feel a lot more comfortable with a htmlspecialchars() in there. (Didn't we use to allow "<" in titles not so very long ago? Certainly the feature that disallows HTML entities in titles is fairly recent.)