escaping quotes in breadcrumbs to improve security
authorMilos Dinic <milossh@bitbucket.org>
Fri, 10 Dec 2010 03:13:45 +0100
changeset 44 50c8563150e95a72344dff26116c566b326f8cf4
parent 43 7331521f15324537c5b3bbc94aa47447ed595c3a
child 45 bbac83daa5ded9bef39ffe8f80e1efc6200f4a60
push id21
push userzbraniecki@mozilla.com
push dateFri, 10 Dec 2010 02:18:32 +0000
escaping quotes in breadcrumbs to improve security
mediawiki/skins/gmo.php
--- a/mediawiki/skins/gmo.php
+++ b/mediawiki/skins/gmo.php
@@ -195,28 +195,29 @@ class GMOTemplate extends QuickTemplate 
                     <?php
                     $last_piece = end($pieces); /* define a last item in array */
                     $elements_count = count($pieces);
                     $elements_count -= 1;
                     foreach ($pieces as $key => $url) {
                         $label = ucwords($url);
                         $moj_niz = array(0 => "Revision History", 1 => "action=edit");
                         $moj_niz[] = $label; 
-                        $url = "http://guides.stage.mozilla.com/";
+                        $url = htmlspecialchars"http://guides.stage.mozilla.com/";
                         foreach ($moj_niz as $kljuc => $clan) {
                             if(!substr($pieces[i], $clan) >= 0) {
                                 unset($pieces[i]);  /* remove edit page, history revision and such from breadcrumbs */
                                 } 
                             else {}
                         }
                         for ($i = 0; $i <= $key; $i++) {
                             if($i == $elements_count) { $url .= $pieces[$i]; }
                             else {$url .= $pieces[$i] . "/";}
                         }
                         $url = preg_replace('/ /', '_', $url);
+                        $url = htmlspecialchars($url, ENT_QUOTES);
                         if ($url != "" && $label != $last_piece) { /* don't put | sign after the last piece */
                             if(!array_search("action=", $moj_niz) && $last_piece != "Main_Page") {
                                 echo "<span class=\"breadcrumb-item\"> <a href=" . substr_replace($url ,"",-1) . ">" . $label . "</a> > </span>";
                             } else {}
                         } else {
                             if(!array_search("action=", $moj_niz)) {
                                 echo "<span class=\"breadcrumb-item\"> <a href=" . $url . ">" . $label . "</a></span>";
                             } else {}