Page MenuHomePhabricator
Create Task
Maniphest T22655

unescaped HTML in delete-page interface
Closed, ResolvedPublic
Actions

Description

Author: wonder

Description:
Create a page that includes say, a '<' character very near the beginning. Then select 'Delete' while using the Vector skin. The "Other/additional reason" form field will contain a literal '<' character in its value attribute, which is invalid XHTML. This makes the page unviewable on sites that use the application/xhtml+xml content type to serve MathML content.

Version: 1.16.x
Severity: normal

Details

Reference
bz20655

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:51 PM
bzimport added a project: MediaWiki-Parser.
bzimport set Reference to bz20655.
bzimport created this task.Sep 15 2009, 11:43 PM
Mr.Z-man added a comment.Sep 16 2009, 5:32 AM

This should be fixed in r56407. Make sure you have $wgHtml5 set to false if you want XHTML. Note that the variable documentation for it indicates that the option may be removed in the future (which would include removal of this fix).

bzimport added a comment.Oct 1 2009, 1:32 AM

ayg wrote:

Fix improved in r57182 to work for $wgWellFormedXml = $wgHtml5 = true case (which is the default config).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL