Fix non-escaped messages used in page subtitles

Reported by Phan, and also discoverable with ?uselang=x-xss. Change-Id: Ieb41d11acf543784f1cfbca5ea2272ac0bffc9a9 (cherry picked from commit 1e54192b1b)
2024-11-24 06:03:49 +00:00 · 2023-10-05 22:51:21 +02:00 · 2023-10-05 22:51:21 +02:00 · 52ddf41e7d
parent 05be8474c3
commit 52ddf41e7d
2 changed files with 6 additions and 7 deletions
--- a/includes/Special/AbuseFilterSpecialPage.php
+++ b/includes/Special/AbuseFilterSpecialPage.php
@ -79,7 +79,7 @@ abstract class AbuseFilterSpecialPage extends SpecialPage {

 		$linkStr = $this->msg( 'parentheses' )
 			->rawParams( $this->getLanguage()->pipeList( $links ) )
-			->text();
+			->escaped();
 		$linkStr = $this->msg( 'abusefilter-topnav' )->parse() . " $linkStr";

 		$linkStr = Xml::tags( 'div', [ 'class' => 'mw-abusefilter-navigation' ], $linkStr );
--- a/includes/View/AbuseFilterViewHistory.php
+++ b/includes/View/AbuseFilterViewHistory.php
@ -117,13 +117,12 @@ class AbuseFilterViewHistory extends AbuseFilterView {
 		);
 		if ( $user !== false ) {
 			$out->addSubtitle(
-				$this->msg(
-					'abusefilter-history-foruser',
-					// We don't really need to get a user ID
-					Linker::userLink( 1, $user ),
+				$this->msg( 'abusefilter-history-foruser' )
+					// We don't really need to pass the real user ID
+					->rawParams( Linker::userLink( 1, $user ) )
 					// For GENDER
-					$user
-				)->text()
+					->params( $user )
+					->parse()
 			);
 		} else {
 			$user = null;