*
* @code
* // old style:
- * wfMsgExt( 'key', array( 'parseinline' ), 'apple' );
+ * wfMsgExt( 'key', [ 'parseinline' ], 'apple' );
* // new style:
* wfMessage( 'key', 'apple' )->parse();
* @endcode
* Places where HTML cannot be used. {{-transformation is done.
* @code
* // old style:
- * wfMsgExt( 'key', array( 'parsemag' ), 'apple', 'pear' );
+ * wfMsgExt( 'key', [ 'parsemag' ], 'apple', 'pear' );
* // new style:
* wfMessage( 'key', 'apple', 'pear' )->text();
* @endcode
$string = $this->fetchMessage();
if ( $string === false ) {
- if ( $this->format === 'plain' || $this->format === 'text' ) {
- return '<' . $this->key . '>';
- }
- return '<' . htmlspecialchars( $this->key ) . '>';
+ // Err on the side of safety, ensure that the output
+ // is always html safe in the event the message key is
+ // missing, since in that case its highly likely the
+ // message key is user-controlled.
+ // '⧼' is used instead of '<' to side-step any
+ // double-escaping issues.
+ return '⧼' . htmlspecialchars( $this->key ) . '⧽';
}
# Replace $* with a list of parameters for &uselang=qqx.