thumb.php: Set ENT_NOQUOTES for htmlspecialchars

There is no need to escape double quotes in content of HTML and in HTML
comments.

ENT_NOQUOTES escapes '<', '>', '&' but not "'" and '"'.
https://secure.php.net/manual/en/function.htmlspecialchars.php

Change-Id: I7146df9582fc1d9742b9e1b0e4f03d7c7d2ed91f

diff --git a/thumb.php b/thumb.php
index 7c3e757..02ac0b0 100644 (file)
--- a/thumb.php
+++ b/thumb.php
@@ -572,7 +572,7 @@ function wfExtractThumbParams( $file, $params ) {
  * @return void
  */
 function wfThumbErrorText( $status, $msgText ) {
-       wfThumbError( $status, htmlspecialchars( $msgText ) );
+       wfThumbError( $status, htmlspecialchars( $msgText, ENT_NOQUOTES ) );
 }
 
 /**
@@ -602,9 +602,10 @@ function wfThumbError( $status, $msgHtml, $msgText = null, $context = [] ) {
        if ( $wgShowHostnames ) {
                header( 'X-MW-Thumbnail-Renderer: ' . wfHostname() );
                $url = htmlspecialchars(
-                       isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : ''
+                       isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : '',
+                       ENT_NOQUOTES
                );
-               $hostname = htmlspecialchars( wfHostname() );
+               $hostname = htmlspecialchars( wfHostname(), ENT_NOQUOTES );
                $debug = "<!-- $url -->\n<!-- $hostname -->\n";
        } else {
                $debug = '';