https://bugzilla.wikimedia.org/show_bug.cgi?id=63224
--- Comment #15 from Chris Steipp <cste...@wikimedia.org> --- (In reply to Christian Dullweber from comment #14) > So the solution is to just remove the file_exists condition? > > All other issues should be fixed now. Changes are here: > https://github.com/Wikidata-lib/PropertySuggester/compare/2c409e676... > 269a1734a Regarding the escaping in SimpleSuggester.php, can you use addQuotes()? The threat is an attacker finds a string that satisfies is_float criteria, but allows adding extra commands when it's cast back to a string. Scientific notation is handled correctly, but I'm not sure if php accepts other formats that might include a space, and strencode won't help in that situation. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l