From: Fomafix <fomafix@googlemail.com>
Date: Mon, 29 Apr 2019 09:15:09 +0000 (+0200)
Subject: HTML escape parameter 'text' of hook 'SkinEditSectionLinks'
X-Git-Tag: 1.34.0-rc.0~1763^2
X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=a41aa2190a1b8133042afd1d99aa7569724c3404

HTML escape parameter 'text' of hook 'SkinEditSectionLinks'

This change moves the responsibility for the HTML escaping of the
parameter 'text' from users of the hook to the HTML generator.

The extension VisualEditor already doesn't make an HTML escaping:
https://gerrit.wikimedia.org/g/mediawiki/extensions/VisualEditor/+/950fee47bf0195a8f2ef552600e45dbd4d3c1a5b/includes/VisualEditorHooks.php#596
https://gerrit.wikimedia.org/g/mediawiki/extensions/VisualEditor/+/950fee47bf0195a8f2ef552600e45dbd4d3c1a5b/includes/VisualEditorHooks.php#611

The HTML escaping in extension TineMCE
https://gerrit.wikimedia.org/g/mediawiki/extensions/TinyMCE/+/5f48eb9acd19062a5d6e731ef34b93ef62d3e730/TinyMCE.hooks.php#287
get removed by I8c0cae19e6c6cf95ff9b23e1f2e61be4c6c46b3f.

Change-Id: Ifdd76172bfd7dc0d370bf69705f2e6a0e1c7511c
---

diff --git a/includes/skins/Skin.php b/includes/skins/Skin.php
index ac41c466cd..4f04278567 100644
--- a/includes/skins/Skin.php
+++ b/includes/skins/Skin.php
@@ -1620,7 +1620,7 @@ abstract class Skin extends ContextSource {
 
 		$links = [
 			'editsection' => [
-				'text' => $this->msg( 'editsection' )->inLanguage( $lang )->escaped(),
+				'text' => $this->msg( 'editsection' )->inLanguage( $lang )->text(),
 				'targetTitle' => $nt,
 				'attribs' => $attribs,
 				'query' => [ 'action' => 'edit', 'section' => $section ],
@@ -1636,7 +1636,7 @@ abstract class Skin extends ContextSource {
 		foreach ( $links as $k => $linkDetails ) {
 			$linksHtml[] = Linker::link(
 				$linkDetails['targetTitle'],
-				$linkDetails['text'],
+				htmlspecialchars( $linkDetails['text'] ),
 				$linkDetails['attribs'],
 				$linkDetails['query'],
 				$linkDetails['options']