On 26/06/06, Nick Jenkins <nickpj(a)gmail.com> wrote:
Don't worry about it, it's an extremely easy
thing to miss. It's also partially the name of the variable, $ip, and its
implications,
as we expect IP addresses to be things like "12.34.56.32", and we simply
don't expect an IP address to contain things like
'"><script>'.
No, I should know better; what caused it was damn confusion over the
bloody wfMsg* functions. I forgot that wfMsgWikiHtml() doesn't escape
parameters.
Rob Church