In ResourceLoaderContext, normalize invalid skin names to $wgDefaultSkin . This shoul...

Sample from the query result:

| md_module                   | md_skin                          |
|-----------------------------|----------------------------------|
| ext.vector.collapsibleNav   | vector'                          |
| ext.vector.collapsibleNav   | vector' and 1=1--                |
| ext.vector.collapsibleNav   | vector' and 1=2--                |
| ext.vector.collapsibleNav   | vector')waitfor delay'0:0:20'--  |
| ext.vector.collapsibleNav   | vector',0)waitfor delay'0:0:20'- |
| ext.vector.collapsibleNav   | vector',0,0)waitfor delay'0:0:20 |
| ext.vector.collapsibleNav   | vector',0,0,0)waitfor delay'0:0: |
| ext.vector.collapsibleNav   | vector'waitfor delay'0:0:20'--   |
| ext.vector.collapsibleNav   | vector../../../../../../../../.. |
[...]
| ext.vector.sectionEditLinks | vector<script src=               |
| ext.vector.sectionEditLinks | vector?.tri.co.id/               |
| ext.vector.sectionEditLinks | vector??id=jCustomerWAPProv      |
| ext.vector.sectionEditLinks | vector??id=wap.mauj.com....      |
| ext.vector.sectionEditLinks | vector?id=202.87.41.147....      |
| ext.vector.sectionEditLinks | vector?java                      |
| ext.vector.sectionEditLinks | vector?m.vuclip.com/             |
| ext.vector.sectionEditLinks | vector?toyota.co.id              |
| ext.vector.sectionEditLinks | vectorGET                        |
| ext.vector.sectionEditLinks | vector]]>>                       |
| ext.vector.sectionEditLinks | vector`ping -c 20 127.0.0.1`     |
| ext.vector.sectionEditLinks | vector|echo 9e7f7fd5750593ab cef |
| ext.vector.sectionEditLinks | vector|ping -c 20 127.0.0.1||x   |

diff --git a/includes/resourceloader/ResourceLoaderContext.php b/includes/resourceloader/ResourceLoaderContext.php
index 2a5169a..dd69bb0 100644 (file)
--- a/includes/resourceloader/ResourceLoaderContext.php
+++ b/includes/resourceloader/ResourceLoaderContext.php
@@ -63,7 +63,9 @@ class ResourceLoaderContext {
                $this->only      = $request->getVal( 'only' );
                $this->version   = $request->getVal( 'version' );
 
-               if ( !$this->skin ) {
+               $skinnames = Skin::getSkinNames();
+               // If no skin is specified, or we don't recognize the skin, use the default skin
+               if ( !$this->skin || !isset( $skinnames[$this->skin] ) ) {
                        $this->skin = $wgDefaultSkin;
                }
        }