[Mediawiki-l] Question about recursiveTagParse()

Vadtec vadtec at vadtec.net
Mon Jun 14 00:40:11 UTC 2010

Greetings all,

I'm not sure if this is the right mailing list to be posting this question to,
so if I should be posting to mediawiki-api, please let me know. (I think I'm in
the right spot though.)

I have a question about recursiveTagParse(). Is it XSS safe? As in, do I need to
escape its output with htmlspecialchars() or does it take care of that for me?

I am writing a tag extension, and I need it to be able to parse wiki text. I
have followed the instructions at
(I am running MW 1.15.4), but it doesn't specify if the output is XSS safe or not.

Erring on the side of caution, I have pre-escaped all of my user supplied
variables with htmlspecialchars(), but if I could avoid this step it would be
wonderful, both for the simplicity of coding and performance.

Thanks for any advice you can offer, it's much appreciated.

- Vadtec

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20100613/759fd383/attachment.pgp 

More information about the MediaWiki-l mailing list