SECURITY: Always normalize link url before adding to ParserOutput

[lhc/web/wiklou.git] / includes / parser / ParserOutput.php

diff --git a/includes/parser/ParserOutput.php b/includes/parser/ParserOutput.php
index 7bf848f..7de3b30 100644 (file)
--- a/includes/parser/ParserOutput.php
+++ b/includes/parser/ParserOutput.php
@@ -535,6 +535,10 @@ class ParserOutput extends CacheTime {
                # We don't register links pointing to our own server, unless... :-)
                global $wgServer, $wgRegisterInternalExternals;
 
+               # Replace unnecessary URL escape codes with the referenced character
+               # This prevents spammers from hiding links from the filters
+               $url = parser::normalizeLinkUrl( $url );
+
                $registerExternalLink = true;
                if ( !$wgRegisterInternalExternals ) {
                        $registerExternalLink = !self::isLinkInternal( $wgServer, $url );
@@ -696,6 +700,8 @@ class ParserOutput extends CacheTime {
         * to SpecialTrackingCategories::$coreTrackingCategories, and extensions
         * should add to "TrackingCategories" in their extension.json.
         *
+        * @todo Migrate some code to TrackingCategories
+        *
         * @param string $msg Message key
         * @param Title $title title of the page which is being tracked
         * @return bool Whether the addition was successful
@@ -707,7 +713,7 @@ class ParserOutput extends CacheTime {
                        return false;
                }
 
-               // Important to parse with correct title (bug 31469)
+               // Important to parse with correct title (T33469)
                $cat = wfMessage( $msg )
                        ->title( $title )
                        ->inContentLanguage()