Some cleanup for r36609:

$url and $alt parameters in makeExternalImage() are now normalized to be escaped on output instead of before they reach the function. This ensures that any hooks processing them won't accidentally send plaintext which might become an injection vector, or just get confused on pre-escaped input they didn't expect.

includes/Linker.php

@@ -478,7 +478,7 @@ class Linker {
 		} else {
 			$basename = substr( $basename, 1 );
 		}
-		return htmlspecialchars( $basename );
+		return $basename;
 	}
 
 	/** Obsolete alias */
@@ -497,8 +497,10 @@ class Linker {
 			wfDebug("Hook LinkerMakeExternalImage changed the output of external image with url {$url} and alt text {$alt} to {$img}", true);
 			return $img;
 		}
-		$s = '<img src="'.$url.'" alt="'.$alt.'" />';
-		return $s;
+		return Xml::element( 'img',
+			array(
+				'src' => $url,
+				'alt' => $alt ) );
 	}
 
 	/**

includes/parser/Parser.php

@@ -1468,7 +1468,7 @@ class Parser
 		     || ( $imagesexception && strpos( $url, $imagesfrom ) === 0 ) ) {
 			if ( preg_match( self::EXT_IMAGE_REGEX, $url ) ) {
 				# Image found
-				$text = $sk->makeExternalImage( htmlspecialchars( $url ) );
+				$text = $sk->makeExternalImage( $url );
 			}
 		}
 		return $text;

includes/parser/Parser_OldPP.php

@@ -1495,7 +1495,7 @@ class Parser_OldPP
 		     || ( $imagesexception && strpos( $url, $imagesfrom ) === 0 ) ) {
 			if ( preg_match( self::EXT_IMAGE_REGEX, $url ) ) {
 				# Image found
-				$text = $sk->makeExternalImage( htmlspecialchars( $url ) );
+				$text = $sk->makeExternalImage( $url );
 			}
 		}
 		return $text;