dépôts / lhc / web / wiklou.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge "Browser tests: update to mw-selenium 1.7.2 and https"
[lhc/web/wiklou.git] / includes / Message.php
diff --git a/includes/Message.php b/includes/Message.php
index d0325d7..2c979de 100644 (file)
--- a/includes/Message.php
+++ b/includes/Message.php
@@ -802,10 +802,13 @@ class Message implements MessageSpecifier, Serializable {
                $string = $this->fetchMessage();
 
                if ( $string === false ) {
-                       if ( $this->format === 'plain' || $this->format === 'text' ) {
-                               return '<' . $this->key . '>';
-                       }
-                       return '&lt;' . htmlspecialchars( $this->key ) . '&gt;';
+                       // Err on the side of safety, ensure that the output
+                       // is always html safe in the event the message key is
+                       // missing, since in that case its highly likely the
+                       // message key is user-controlled.
+                       // '⧼' is used instead of '<' to side-step any
+                       // double-escaping issues.
+                       return '⧼' . htmlspecialchars( $this->key ) . '⧽';
                }
 
                # Replace $* with a list of parameters for &uselang=qqx.
Wiklou, le Wiki du Wiklou