Merge "Fix deletion handling of rev_deleted"

[lhc/web/wiklou.git] / includes / Message.php

diff --git a/includes/Message.php b/includes/Message.php
index d0325d7..c2c954a 100644 (file)
--- a/includes/Message.php
+++ b/includes/Message.php
@@ -120,7 +120,7 @@
  *
  * @code
  *     // old style:
- *     wfMsgExt( 'key', array( 'parseinline' ), 'apple' );
+ *     wfMsgExt( 'key', [ 'parseinline' ], 'apple' );
  *     // new style:
  *     wfMessage( 'key', 'apple' )->parse();
  * @endcode
@@ -131,7 +131,7 @@
  * Places where HTML cannot be used. {{-transformation is done.
  * @code
  *     // old style:
- *     wfMsgExt( 'key', array( 'parsemag' ), 'apple', 'pear' );
+ *     wfMsgExt( 'key', [ 'parsemag' ], 'apple', 'pear' );
  *     // new style:
  *     wfMessage( 'key', 'apple', 'pear' )->text();
  * @endcode
@@ -802,10 +802,13 @@ class Message implements MessageSpecifier, Serializable {
                $string = $this->fetchMessage();
 
                if ( $string === false ) {
-                       if ( $this->format === 'plain' || $this->format === 'text' ) {
-                               return '<' . $this->key . '>';
-                       }
-                       return '&lt;' . htmlspecialchars( $this->key ) . '&gt;';
+                       // Err on the side of safety, ensure that the output
+                       // is always html safe in the event the message key is
+                       // missing, since in that case its highly likely the
+                       // message key is user-controlled.
+                       // '⧼' is used instead of '<' to side-step any
+                       // double-escaping issues.
+                       return '⧼' . htmlspecialchars( $this->key ) . '⧽';
                }
 
                # Replace $* with a list of parameters for &uselang=qqx.