Paranoia, escape image alignment parameters before outputting.

The alignment parameter is totally safe (See the very convoluted
code in the parser) but its best practise to escape things right
before the output. Additionally this protects in case any extension
uses a hook to do anything silly.

Change-Id: Ie19b106409d55c704b69280e2d0e2bb29068bd2e

diff --git a/includes/Linker.php b/includes/Linker.php
index 89a6a10..adc0297 100644 (file)
--- a/includes/Linker.php
+++ b/includes/Linker.php
@@ -431,7 +431,11 @@ class Linker {
                        $s = $thumb->toHtml( $params );
                }
                if ( $frameParams['align'] != '' ) {
-                       $s = "<div class=\"float{$frameParams['align']}\">{$s}</div>";
+                       $s = Html::rawElement(
+                               'div',
+                               [ 'class' => 'float' . $frameParams['align'] ],
+                               $s
+                       );
                }
                return str_replace( "\n", ' ', $prefix . $s . $postfix );
        }