* (bug 13130) Position of wpEditToken input tag in edit form

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 2bec669..789b72b 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -18,7 +18,7 @@ will be made on the development trunk and appear in the next quarterly release.
 Those wishing to use the latest code instead of a branch release can obtain
 it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 
-=== Configuration changes in 1.12 ===
+=== Configuration changes in 1.13 ===
 
 * ...
 
@@ -31,17 +31,18 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
   confused when they are told they are range-blocked.
 * One can turn off syndicatino feeds by setting $wgFeed to false
 
-=== Bug fixes in 1.12 ===
+=== Bug fixes in 1.13 ===
 
 * (bug 10677) Add link to the file description page on the shared repository
 * (bug 13084) Increase size of source/destination filename fields in upload form
 * (bug 13115) rebuildrecentchanges should print the current value of $wgRCMaxAge
+* (bug 13130) Position of wpEditToken input tag in edit form
 
-=== API changes in 1.12 ===
+=== API changes in 1.13 ===
 
 * ....
 
-=== Languages updated in 1.12 ===
+=== Languages updated in 1.13 ===
 
 * ...
 

diff --git a/includes/EditPage.php b/includes/EditPage.php
index 45ca48d..ac51a42 100644 (file)
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -1306,6 +1306,21 @@ END
 <input type='hidden' value=\"{$this->edittime}\" name=\"wpEdittime\" />\n
 <input type='hidden' value=\"{$this->scrolltop}\" name=\"wpScrolltop\" id=\"wpScrolltop\" />\n" );
 
+               /**
+                * To make it harder for someone to slip a user a page
+                * which submits an edit form to the wiki without their
+                * knowledge, a random token is associated with the login
+                * session. If it's not passed back with the submission,
+                * we won't save the page, or render user JavaScript and
+                * CSS previews.
+                *
+                * For anon editors, who may not have a session, we just
+                * include the constant suffix to prevent editing from
+                * broken text-mangling proxies.
+                */
+               $token = htmlspecialchars( $wgUser->editToken() );
+               $wgOut->addHTML( "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n" );
+
                $wgOut->addHTML( <<<END
 $recreate
 {$commentsubject}
@@ -1348,21 +1363,6 @@ END
 </div>
 " );
 
-               /**
-                * To make it harder for someone to slip a user a page
-                * which submits an edit form to the wiki without their
-                * knowledge, a random token is associated with the login
-                * session. If it's not passed back with the submission,
-                * we won't save the page, or render user JavaScript and
-                * CSS previews.
-                *
-                * For anon editors, who may not have a session, we just
-                * include the constant suffix to prevent editing from
-                * broken text-mangling proxies.
-                */
-               $token = htmlspecialchars( $wgUser->editToken() );
-               $wgOut->addHTML( "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n" );
-
 
                # If a blank edit summary was previously provided, and the appropriate
                # user preference is active, pass a hidden tag here. This will stop the