Update OOjs UI to v0.19.2

[lhc/web/wiklou.git] / includes / Sanitizer.php

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 44e4e3e..42b166d 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -1119,6 +1119,7 @@ class Sanitizer {
                        '>'    => '>',   // we've received invalid input
                        '"'    => '"', // which should have been escaped.
                        '{'    => '{',
+                       '}'    => '}', // prevent unpaired language conversion syntax
                        '['    => '[',
                        "''"   => '''',
                        'ISBN' => 'ISBN',
@@ -1262,8 +1263,9 @@ class Sanitizer {
        static function escapeHtmlAllowEntities( $html ) {
                $html = Sanitizer::decodeCharReferences( $html );
                # It seems wise to escape ' as well as ", as a matter of course.  Can't
-               # hurt.
-               $html = htmlspecialchars( $html, ENT_QUOTES );
+               # hurt. Use ENT_SUBSTITUTE so that incorrectly truncated multibyte characters
+               # don't cause the entire string to disappear.
+               $html = htmlspecialchars( $html, ENT_QUOTES | ENT_SUBSTITUTE );
                return $html;
        }