dépôts / lhc / web / wiklou.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge "phpunit: Avoid use of deprecated getMock for PHPUnit 5 compat"
[lhc/web/wiklou.git] / includes / search / SearchHighlighter.php
diff --git a/includes/search/SearchHighlighter.php b/includes/search/SearchHighlighter.php
index d0e3a24..cebdb40 100644 (file)
--- a/includes/search/SearchHighlighter.php
+++ b/includes/search/SearchHighlighter.php
@@ -29,6 +29,10 @@
 class SearchHighlighter {
        protected $mCleanWikitext = true;
 
+       /**
+        * @warning If you pass false to this constructor, then
+        *  the caller is responsible for HTML escaping.
+        */
        function __construct( $cleanupWikitext = true ) {
                $this->mCleanWikitext = $cleanupWikitext;
        }
@@ -456,6 +460,10 @@ class SearchHighlighter {
                $text = preg_replace( "/('''|<\/?[iIuUbB]>)/", "", $text );
                $text = preg_replace( "/''/", "", $text );
 
+               // Note, the previous /<\/?[^>]+>/ is insufficient
+               // for XSS safety as the HTML tag can span multiple
+               // search results (T144845).
+               $text = Sanitizer::escapeHtmlAllowEntities( $text );
                return $text;
        }
 
Wiklou, le Wiki du Wiklou