• Jack Phoenix's avatar
    SECURITY: Fix potential XSS vectors · 939ee9b8
    Jack Phoenix authored
    Since $title (actually a Title object, which is converted magically to a
    string here due to Title::__toString()) can be used supplied, it needs to
    be escaped before being output to avoid $title from being something like
    Foo " onmouseover="alert('xss') or somesuch.
    
    Furthermore changed the output format of [[MediaWiki:Liberty-facebook]]
    and [[MediaWiki:Liberty-twitter]] messages to ->escaped() so that admins
    cannot do nasty things by adding a " to one or both of the aforementioned
    MediaWiki: pages (thanks bawolff!).
    939ee9b8
LibertyTemplate.php 30.1 KB