summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2007-09-11 00:19:58 +0200
committerPierre Schmitz <pierre@archlinux.de>2007-09-11 00:19:58 +0200
commitd7d08bd1a17618c7d77a6b9b2989e9f7293d6ed6 (patch)
treed782e2d1f10104181ccdeb8231409f3f4b2aae12 /includes
parentd354da0fd0f521019c67bf12eefe527d4cf84017 (diff)
added security patch -> 1.10.2
Diffstat (limited to 'includes')
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/api/ApiFormatBase.php7
2 files changed, 6 insertions, 3 deletions
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index d9bd3760..d8f9a621 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -31,7 +31,7 @@ require_once( 'includes/SiteConfiguration.php' );
$wgConf = new SiteConfiguration;
/** MediaWiki version number */
-$wgVersion = '1.10.1';
+$wgVersion = '1.10.2';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php
index 192c51a7..782a4161 100644
--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -145,8 +145,11 @@ for more information.
* This method also replaces any '<' with &lt;
*/
protected function formatHTML($text) {
- // encode all tags as safe blue strings
- $text = ereg_replace('\<([^>]+)\>', '<span style="color:blue;">&lt;\1&gt;</span>', $text);
+ // Escape everything first for full coverage
+ $text = htmlspecialchars($text);
+
+ // encode all comments or tags as safe blue strings
+ $text = preg_replace('/\&lt;(!--.*?--|.*?)\&gt;/', '<span style="color:blue;">&lt;\1&gt;</span>', $text);
// identify URLs
$protos = "http|https|ftp|gopher";
$text = ereg_replace("($protos)://[^ '\"()<\n]+", '<a href="\\0">\\0</a>', $text);