X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FMessage.php;h=3b2f3ccc7bb70f555fe741a024e3052105f3ff16;hb=c16af68fb62948dd8079a7fa49b7c12b9a748121;hp=0240fa747738570eb7ea88257352ecda6a61aad3;hpb=b95ca29602793f39191c06cd6941e3f32ab1bbb8;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/Message.php b/includes/Message.php
index 0240fa7477..3b2f3ccc7b 100644
--- a/includes/Message.php
+++ b/includes/Message.php
@@ -1123,11 +1123,29 @@ class Message implements MessageSpecifier, Serializable {
 	 * @return string
 	 */
 	protected function replaceParameters( $message, $type = 'before', $format ) {
+		// A temporary marker for $1 parameters that is only valid
+		// in non-attribute contexts. However if the entire message is escaped
+		// then we don't want to use it because it will be mangled in all contexts
+		// and its unnessary as ->escaped() messages aren't html.
+		$marker = $format === self::FORMAT_ESCAPED ? '$' : '$\'"';
 		$replacementKeys = [];
 		foreach ( $this->parameters as $n => $param ) {
 			list( $paramType, $value ) = $this->extractParam( $param, $format );
-			if ( $type === $paramType ) {
-				$replacementKeys['$' . ( $n + 1 )] = $value;
+			if ( $type === 'before' ) {
+				if ( $paramType === 'before' ) {
+					$replacementKeys['$' . ( $n + 1 )] = $value;
+				} else /* $paramType === 'after' */ {
+					// To protect against XSS from replacing parameters
+					// inside html attributes, we convert $1 to $'"1.
+					// In the event that one of the parameters ends up
+					// in an attribute, either the ' or the " will be
+					// escaped, breaking the replacement and avoiding XSS.
+					$replacementKeys['$' . ( $n + 1 )] = $marker . ( $n + 1 );
+				}
+			} else {
+				if ( $paramType === 'after' ) {
+					$replacementKeys[$marker . ( $n + 1 )] = $value;
+				}
 			}
 		}
 		$message = strtr( $message, $replacementKeys );
@@ -1167,11 +1185,17 @@ class Message implements MessageSpecifier, Serializable {
 			} elseif ( isset( $param['list'] ) ) {
 				return $this->formatListParam( $param['list'], $param['type'], $format );
 			} else {
-				$warning = 'Invalid parameter for message "' . $this->getKey() . '": ' .
-					htmlspecialchars( serialize( $param ) );
-				trigger_error( $warning, E_USER_WARNING );
-				$e = new Exception;
-				wfDebugLog( 'Bug58676', $warning . "\n" . $e->getTraceAsString() );
+				if ( !is_scalar( $param ) ) {
+					$param = serialize( $param );
+				}
+				\MediaWiki\Logger\LoggerFactory::getInstance( 'Bug58676' )->warning(
+					'Invalid parameter for message "{msgkey}": {param}',
+					[
+						'exception' => new Exception,
+						'msgkey' => $this->getKey(),
+						'param' => htmlspecialchars( $param ),
+					]
+				);
 
 				return [ 'before', '[INVALID]' ];
 			}