editinterface to a new permission key editusercssjs.
* (bug 11266) Set fallback language for Fulfulde (ff) to French
* (bug 11179) Include image version deletion comment in public log
+* (bug 11158) Fix escaping in API HTML-formatted JSON
=== API changes in 1.12 ===
* This method also replaces any '<' with <
*/
protected function formatHTML($text) {
- // encode all tags as safe blue strings
- $text = ereg_replace('\<([^>]+)\>', '<span style="color:blue;"><\1></span>', $text);
+ // Escape everything first for full coverage
+ $text = htmlspecialchars($text);
+
+ // encode all comments or tags as safe blue strings
+ $text = preg_replace('/\<(!--.*?--|.*?)\>/', '<span style="color:blue;"><\1></span>', $text);
// identify URLs
$protos = "http|https|ftp|gopher";
$text = ereg_replace("($protos)://[^ \\'\"()<\n]+", '<a href="\\0">\\0</a>', $text);