From 377a2ba09cc729d149d1be590db8ce11fa50218b Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Fri, 27 Apr 2012 16:24:48 -0700
Subject: [PATCH] (bug 30598) Escape html when displaying url in Log

Add htmlspecialchars escaping to the Interwiki url when displaying in the
logs. Fixes a potential xss.

Change-Id: I3cdf8a4f6c1b1f66a4229c8d9d00c1fc12506dd6
---
 Interwiki_body.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Interwiki_body.php b/Interwiki_body.php
index a02a8f3e..5f250ce7 100644
--- a/Interwiki_body.php
+++ b/Interwiki_body.php
@@ -338,7 +338,7 @@ class InterwikiLogFormatter extends LogFormatter {
 	protected function getMessageParameters() {
 		$params = parent::getMessageParameters();
 		if ( isset( $params[4] ) ) {
-			$params[4] = Message::rawParam( $params[4] );
+			$params[4] = Message::rawParam( htmlspecialchars( $params[4] ) );
 		}
 		return $params;
 	}