From 399e76985271384653a4747b9cc3fcc68c53bbb9 Mon Sep 17 00:00:00 2001
From: Gabriel Wicke <gwicke@users.mediawiki.org>
Date: Fri, 24 Mar 2006 16:43:57 +0000
Subject: [PATCH] Fix JS injection vulnerability and test case

---
 includes/Parser.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/includes/Parser.php b/includes/Parser.php
index 1c8eca9c6a..ff66e1314f 100644
--- a/includes/Parser.php
+++ b/includes/Parser.php
@@ -1416,7 +1416,9 @@ class Parser
 					$m[3] = $n[1];
 				}
 				# fix up urlencoded title texts
-				if(preg_match('/%/', $m[1] )) $m[1] = urldecode($m[1]);
+				if(preg_match('/%/', $m[1] )) 
+					# Should anchors '#' also be rejected?
+					$m[1] = str_replace( array('<', '>'), array('&lt;', '&gt;'), urldecode($m[1]) );
 				$trail = $m[3];
 			} elseif( preg_match($e1_img, $line, $m) ) { # Invalid, but might be an image with a link in its caption
 				$might_be_img = true;
-- 
2.20.1