X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FMessage.php;h=e55eaaf646f399ec5e665c7382b517206f5b4019;hb=99d73dc9033603b03198f84854e9a5078bde89b8;hp=2a55d0ee748f54b138bb470fa1e184dc34c21063;hpb=2dd06563cd6475d8549e07dcb8d31290294c669f;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Message.php b/includes/Message.php index 2a55d0ee74..e55eaaf646 100644 --- a/includes/Message.php +++ b/includes/Message.php @@ -1123,11 +1123,29 @@ class Message implements MessageSpecifier, Serializable { * @return string */ protected function replaceParameters( $message, $type = 'before', $format ) { + // A temporary marker for $1 parameters that is only valid + // in non-attribute contexts. However if the entire message is escaped + // then we don't want to use it because it will be mangled in all contexts + // and its unnessary as ->escaped() messages aren't html. + $marker = $format === self::FORMAT_ESCAPED ? '$' : '$\'"'; $replacementKeys = []; foreach ( $this->parameters as $n => $param ) { list( $paramType, $value ) = $this->extractParam( $param, $format ); - if ( $type === $paramType ) { - $replacementKeys['$' . ( $n + 1 )] = $value; + if ( $type === 'before' ) { + if ( $paramType === 'before' ) { + $replacementKeys['$' . ( $n + 1 )] = $value; + } else /* $paramType === 'after' */ { + // To protect against XSS from replacing parameters + // inside html attributes, we convert $1 to $'"1. + // In the event that one of the parameters ends up + // in an attribute, either the ' or the " will be + // escaped, breaking the replacement and avoiding XSS. + $replacementKeys['$' . ( $n + 1 )] = $marker . ( $n + 1 ); + } + } else { + if ( $paramType === 'after' ) { + $replacementKeys[$marker . ( $n + 1 )] = $value; + } } } $message = strtr( $message, $replacementKeys ); @@ -1226,7 +1244,9 @@ class Message implements MessageSpecifier, Serializable { $this->getLanguage() ); - return $out instanceof ParserOutput ? $out->getText() : $out; + return $out instanceof ParserOutput + ? $out->getText( [ 'enableSectionEditLinks' => false ] ) + : $out; } /** @@ -1288,16 +1308,15 @@ class Message implements MessageSpecifier, Serializable { */ protected function formatPlaintext( $plaintext, $format ) { switch ( $format ) { - case self::FORMAT_TEXT: - case self::FORMAT_PLAIN: - return $plaintext; - - case self::FORMAT_PARSE: - case self::FORMAT_BLOCK_PARSE: - case self::FORMAT_ESCAPED: - default: - return htmlspecialchars( $plaintext, ENT_QUOTES ); - + case self::FORMAT_TEXT: + case self::FORMAT_PLAIN: + return $plaintext; + + case self::FORMAT_PARSE: + case self::FORMAT_BLOCK_PARSE: + case self::FORMAT_ESCAPED: + default: + return htmlspecialchars( $plaintext, ENT_QUOTES ); } }