diff options
Diffstat (limited to 'includes/Html.php')
| -rw-r--r-- | includes/Html.php | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/includes/Html.php b/includes/Html.php index 1e16e394..2e148140 100644 --- a/includes/Html.php +++ b/includes/Html.php @@ -546,17 +546,20 @@ class Html { } else { // Apparently we need to entity-encode \n, \r, \t, although the // spec doesn't mention that. Since we're doing strtr() anyway, - // and we don't need <> escaped here, we may as well not call - // htmlspecialchars(). + // we may as well not call htmlspecialchars(). // @todo FIXME: Verify that we actually need to // escape \n\r\t here, and explain why, exactly. # // We could call Sanitizer::encodeAttribute() for this, but we // don't because we're stubborn and like our marginal savings on // byte size from not having to encode unnecessary quotes. + // The only difference between this transform and the one by + // Sanitizer::encodeAttribute() is '<' is only encoded here if + // $wgWellFormedXml is set, and ' is not encoded. $map = array( '&' => '&', '"' => '"', + '>' => '>', "\n" => ' ', "\r" => ' ', "\t" => '	' |