Brion Vibber wrote:
On Mar 26, 2009, at 18:30, Aryeh Gregor <Simetrical +wikilist@gmail.com> wrote:
On Thu, Mar 26, 2009 at 9:15 PM, Ilmari Karonen nospam@vyznev.net wrote:
Hmm, you're right, it does -- I didn't realize the title was used unescaped. That looks uncomfortably close to an XSS vulnerability anyway. I'd feel a lot more comfortable with a htmlspecialchars() in there. (Didn't we use to allow "<" in titles not so very long ago? Certainly the feature that disallows HTML entities in titles is fairly recent.)
I'm pretty sure we haven't allowed < in titles for a long time.
At one point they were briefly enabled in dev trunk and immediately disabled for safety. :) never been enabled in production.
Anyway, I just committed r48922. Whatever else re-enabling "<" in titles might break, category listings should now be safe. :)