Use double quotes instead of singe quotes for HTML attributes

htmlspecialchars[1] encodes only double quotes not single quotes.
Therefor the HTML attribute must enclosed with double quotes for
correct output encoding.

[1] https://secure.php.net/manual/en/function.htmlspecialchars.php

Change-Id: I3fec5299585187ed70d62b9248007af34b0db85b

diff --git a/includes/diff/DifferenceEngine.php b/includes/diff/DifferenceEngine.php
index d4bee29..7f9af60 100644 (file)
--- a/includes/diff/DifferenceEngine.php
+++ b/includes/diff/DifferenceEngine.php
@@ -1174,17 +1174,17 @@ class DifferenceEngine extends ContextSource {
 
                if ( !$diff && !$otitle ) {
                        $header .= "
-                       <tr style='vertical-align: top;' lang='{$userLang}'>
-                       <td class='diff-ntitle'>{$ntitle}</td>
+                       <tr style=\"vertical-align: top;\" lang=\"{$userLang}\">
+                       <td class=\"diff-ntitle\">{$ntitle}</td>
                        </tr>";
                        $multiColspan = 1;
                } else {
                        if ( $diff ) { // Safari/Chrome show broken output if cols not used
                                $header .= "
-                               <col class='diff-marker' />
-                               <col class='diff-content' />
-                               <col class='diff-marker' />
-                               <col class='diff-content' />";
+                               <col class=\"diff-marker\" />
+                               <col class=\"diff-content\" />
+                               <col class=\"diff-marker\" />
+                               <col class=\"diff-content\" />";
                                $colspan = 2;
                                $multiColspan = 4;
                        } else {
@@ -1193,20 +1193,20 @@ class DifferenceEngine extends ContextSource {
                        }
                        if ( $otitle || $ntitle ) {
                                $header .= "
-                               <tr style='vertical-align: top;' lang='{$userLang}'>
-                               <td colspan='$colspan' class='diff-otitle'>{$otitle}</td>
-                               <td colspan='$colspan' class='diff-ntitle'>{$ntitle}</td>
+                               <tr style=\"vertical-align: top;\" lang=\"{$userLang}\">
+                               <td colspan=\"$colspan\" class=\"diff-otitle\">{$otitle}</td>
+                               <td colspan=\"$colspan\" class=\"diff-ntitle\">{$ntitle}</td>
                                </tr>";
                        }
                }
 
                if ( $multi != '' ) {
-                       $header .= "<tr><td colspan='{$multiColspan}' style='text-align: center;' " .
-                               "class='diff-multi' lang='{$userLang}'>{$multi}</td></tr>";
+                       $header .= "<tr><td colspan=\"{$multiColspan}\" style=\"text-align: center;\" " .
+                               "class=\"diff-multi\" lang=\"{$userLang}\">{$multi}</td></tr>";
                }
                if ( $notice != '' ) {
-                       $header .= "<tr><td colspan='{$multiColspan}' style='text-align: center;' " .
-                               "lang='{$userLang}'>{$notice}</td></tr>";
+                       $header .= "<tr><td colspan=\"{$multiColspan}\" style=\"text-align: center;\" " .
+                               "lang=\"{$userLang}\">{$notice}</td></tr>";
                }
 
                return $header . $diff . "</table>";

diff --git a/includes/logging/BlockLogFormatter.php b/includes/logging/BlockLogFormatter.php
index a0bfb59..1ed18cd 100644 (file)
--- a/includes/logging/BlockLogFormatter.php
+++ b/includes/logging/BlockLogFormatter.php
@@ -60,7 +60,7 @@ class BlockLogFormatter extends LogFormatter {
                        // is shown on the correct side of the tooltip text.
                        $durationTooltip = '‎' . htmlspecialchars( $params[4] );
                        $params[4] = Message::rawParam(
-                               "<span class='blockExpiry' title='$durationTooltip'>" .
+                               "<span class=\"blockExpiry\" title=\"$durationTooltip\">" .
                                $this->context->getLanguage()->translateBlockExpiry(
                                        $params[4],
                                        $this->context->getUser(),