Last modified: 2014-09-23 19:36:26 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T22999, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 20999 - SelectCategoryTagCloud is not properly escaping tags
SelectCategoryTagCloud is not properly escaping tags
Status: NEW
Product: MediaWiki extensions
Classification: Unclassified
Other (Other open bugs)
unspecified
All All
: Normal major (vote)
: ---
Assigned To: Leon Weber
http://www.blobject.es
: patch, patch-reviewed
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-05 10:18 UTC by Hidabe
Modified: 2014-09-23 19:36 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Hidabe 2009-10-05 10:18:25 UTC 
When we have one category with the char: ", extension broken html because, we print in function createTagCloud, in SelectCategoryTagCloud.body.php:

$currentRow = "<span title='" .wfMsg( 'selectcategory-tooltip' ). "' onclick='checkCategory(this)' class='" . $existingClass . $link_class . "' style='{$style}'>" . $title->getText() . "</span>&nbsp; ";

I have solved it, changed the line by:
$currentRow = "<span title='" .wfMsg( 'selectcategory-tooltip' ). "' onclick='checkCategory(this)' class='" . $existingClass . $link_class . "' style='{$style}'>" . str_replace('"','&quot;',$title->getText()) . "</span>&nbsp; ";

Regards!
Comment 1 Roan Kattouw 2009-10-05 10:36:13 UTC 
This is not a proper fix, you should use htmlspecialchars($title->getText()) instead.
Comment 2 MZMcBride 2011-11-03 00:06:55 UTC 
I'm removing the "need-review" keyword. Roan reviewed the "patch" in comment 1. (I think the "patch" keyword is a bit silly here as well, but I'll leave it for now.)

(In reply to comment #1)
> This is not a proper fix, you should use htmlspecialchars($title->getText())
> instead.

I thought there was a MediaWiki-specific escape function that people used instead of htmlspecialchars. Maybe I'm thinking of something else?
Comment 3 Sumana Harihareswara 2012-01-30 18:40:31 UTC 
Adding "reviewed" keyword for clarity.

Hidabe, if you have time to revisit this issue, please stop into our chat channel, #mediawiki https://www.mediawiki.org/wiki/MediaWiki_on_IRC to discuss approach.  Thanks!
Comment 4 Christian Boltz 2012-09-22 18:28:08 UTC 
[Fixing the "Component" field - SelectCategoryTagCloud != SelectCategory]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links