Last modified: 2010-05-15 15:54:46 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T16773, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 14773 - $wgOut->setPageTitle() html entity escaping bug
$wgOut->setPageTitle() html entity escaping bug
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Parser (Other open bugs)
1.12.x
All All
: High normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-09 19:47 UTC by Lester Hightower
Modified: 2010-05-15 15:54 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Lester Hightower 2008-07-09 19:47:44 UTC 
$wgOut->setPageTitle($new_title) appears to have an entity escaping bug.  I can demonstrate the bug by calling it this way: $wgOut->setPageTitle("US&S").  Doing that makes my <title> tag correct, but does _not_ change "US&S" to "US&amp;S" in the HTML of the rendered page.

Calling it this way: $wgOut->setPageTitle(htmlspecialchars("US&S")) gets the HTML correct, but then the <title> tag will hold "US&amp;amp;S" ... obviously wrong.

I can do this, and get the correct results:

  $new_title="US&S";
  $wgOut->setPageTitle(htmlspecialchars($new_title));
  $wgOut->setHTMLTitle($new_title);

I see in mediawiki/includes/OutputPage.php that setPageTitle() calls setHTMLTitle(), but it must do so wrongly in some way.
Comment 1 Brion Vibber 2008-07-10 23:12:08 UTC 
Ugh, usage seems fairly inconsistent and annoying. Needs some cleanup...
Comment 2 Siebrand Mazeland 2008-08-11 22:02:51 UTC 
Prio: high
Comment 3 Tyler Romeo 2008-09-08 20:46:03 UTC 
This is a very strange bug. There is no HTML conversion in OutputPage::setPageTitle() (which referenced Language::convert() and wfMsg() as well as OutputPage::setHTMLTitle()), but when generating the page in OutputPage::headerElement(), the title is put through htmlspecialchars(). So why would putting the title through htmlspecialchars() a two times or one make a difference (especially since the latter causes no conversion whatsoever).
Comment 4 Alex Z. 2009-07-22 04:18:27 UTC 
This seems to have been fixed in r49330, which runs setPageTitle() input through Sanitizer::normalizeCharReferences().
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links