* Fix for XHTML valid output

* Escape text to avoid HTML injection

diff --git a/extensions/UnicodeConverter.php b/extensions/UnicodeConverter.php
index cd1966a..1012889 100644 (file)
--- a/extensions/UnicodeConverter.php
+++ b/extensions/UnicodeConverter.php
@@ -23,20 +23,20 @@ class UnicodeConverter extends SpecialPage
 
                $q = $wgRequest->getText( 'q' );
                $encQ = htmlspecialchars( $q );
-               $action = $wgTitle->getLocalUrl();
-               $ok = wfMsg( "ok" );
+               $action = $wgTitle->escapeLocalUrl();
+               $ok = htmlspecialchars( wfMsg( "ok" ) );
 
-               $wgOut->addHTML( "
-<form name=ucf method=post action=\"$action\">
-<textarea rows=15 cols=80 name=q>
-$encQ
-</textarea><br />
-<input type=submit name=submit value=\"$ok\"><br /><br />
-</form>" );
+               $wgOut->addHTML( <<<END
+<form name="ucf" method="post" action="$action">
+<textarea rows="15" cols="80" name="q">$encQ</textarea><br />
+<input type="submit" name="submit" value="$ok" /><br /><br />
+</form>
+END
+);
 
                if ( !is_null( $q ) ) {
-                       $html = wfUtf8ToHTML( $q );
-                       $wgOut->addHTML( "\n\n\n" . nl2br( $html ) . "\n<hr>\n" .
+                       $html = wfUtf8ToHTML( htmlspecialchars( $q ) );
+                       $wgOut->addHTML( "\n\n\n" . nl2br( $html ) . "\n<hr />\n" .
                          nl2br( htmlspecialchars( $html ) ) . "\n\n" );
                }
        }