Minor escaping fixes

This will also fix some (not all) of phan-taint-check's warnings

Bug: T197002
Change-Id: I7fd1798030d83292ce46543e25c0c431ec345a11

includes/AbuseFilter.php

@@ -2512,7 +2512,9 @@ class AbuseFilter {
 		// abusefilter-action-blockautopromote, abusefilter-action-block, abusefilter-action-degroup,
 		// abusefilter-action-rangeblock, abusefilter-action-disallow
 		$display = wfMessage( "abusefilter-action-$action" )->escaped();
-		$display = wfMessage( "abusefilter-action-$action", $display )->isDisabled() ? $action : $display;
+		$display = wfMessage( "abusefilter-action-$action", $display )->isDisabled()
+			? htmlspecialchars( $action )
+			: $display;
 
 		return $display;
 	}
@@ -2836,7 +2838,7 @@ class AbuseFilter {
 			} else {
 				$displayAction = self::getActionDisplay( $action ) .
 				wfMessage( 'colon-separator' )->escaped() .
-				htmlspecialchars( $wgLang->semicolonList( $parameters ) );
+				$wgLang->semicolonList( array_map( 'htmlspecialchars', $parameters ) );
 			}
 		}
 

includes/AbuseLogHitFormatter.php

@@ -18,9 +18,11 @@ class AbuseLogHitFormatter extends LogFormatter {
 		$params = parent::getMessageParameters();
 
 		$filter_title = SpecialPage::getTitleFor( 'AbuseFilter', $entry['filter'] );
-		$filter_caption = $this->msg( 'abusefilter-log-detailedentry-local' )->params( $entry['filter'] );
+		$filter_caption = $this->msg( 'abusefilter-log-detailedentry-local' )
+			->params( $entry['filter'] )
+			->text();
 		$log_title = SpecialPage::getTitleFor( 'AbuseLog', $entry['log'] );
-		$log_caption = $this->msg( 'abusefilter-log-detailslink' );
+		$log_caption = $this->msg( 'abusefilter-log-detailslink' )->text();
 
 		$params[4] = $entry['action'];
 

includes/Views/AbuseFilterViewEdit.php

@@ -359,12 +359,14 @@ class AbuseFilterViewEdit extends AbuseFilterView {
 			$userName = $row->af_user_text;
 			$fields['abusefilter-edit-lastmod'] =
 				$this->msg( 'abusefilter-edit-lastmod-text' )
-				->rawParams(
-					$lang->timeanddate( $row->af_timestamp, true ),
-					$userLink,
+				->params(
+					$lang->timeanddate( $row->af_timestamp, true )
+				)->rawParams(
+					$userLink
+				)->params(
 					$lang->date( $row->af_timestamp, true ),
 					$lang->time( $row->af_timestamp, true ),
-					$userName
+					wfEscapeWikiText( $userName )
 				)->parse();
 			$history_display = new HtmlArmor( $this->msg( 'abusefilter-edit-viewhistory' )->parse() );
 			$fields['abusefilter-edit-history'] =

includes/Views/AbuseFilterViewHistory.php

@@ -41,7 +41,7 @@ class AbuseFilterViewHistory extends AbuseFilterView {
 		foreach ( $links as $msg => $title ) {
 			$links[$msg] =
 				new OOUI\ButtonWidget( [
-					'label' => $this->msg( $msg )->parse(),
+					'label' => $this->msg( $msg )->text(),
 					'href' => $title
 				] );
 		}

includes/Views/AbuseFilterViewList.php

@@ -147,7 +147,7 @@ class AbuseFilterViewList extends AbuseFilterView {
 	public function showList( $conds = [ 'af_deleted' => 0 ], $optarray = [] ) {
 		$config = $this->getConfig();
 		$this->getOutput()->addHTML(
-			Xml::element( 'h2', null, $this->msg( 'abusefilter-list' )->parse() )
+			Xml::tags( 'h2', null, $this->msg( 'abusefilter-list' )->parse() )
 		);
 
 		$deleted = $optarray['deleted'];

includes/Views/AbuseFilterViewRevert.php

@@ -83,12 +83,17 @@ class AbuseFilterViewRevert extends AbuseFilterView {
 					$result['actions'] );
 
 				$msg = $this->msg( 'abusefilter-revert-preview-item' )
-					->rawParams(
-						$lang->timeanddate( $result['timestamp'], true ),
-						Linker::userLink( $result['userid'], $result['user'] ),
-						$result['action'],
-						$this->linkRenderer->makeLink( $result['title'] ),
-						$lang->commaList( $displayActions ),
+					->params(
+						$lang->timeanddate( $result['timestamp'], true )
+					)->rawParams(
+						Linker::userLink( $result['userid'], $result['user'] )
+					)->params(
+						$result['action']
+					)->rawParams(
+						$this->linkRenderer->makeLink( $result['title'] )
+					)->params(
+						$lang->commaList( $displayActions )
+					)->rawParams(
 						$this->linkRenderer->makeLink(
 							SpecialPage::getTitleFor( 'AbuseLog' ),
 							$this->msg( 'abusefilter-log-detailslink' )->text(),

includes/pagers/AbuseFilterPager.php

@@ -187,7 +187,7 @@ class AbuseFilterPager extends TablePager {
 				foreach ( $actions as $action ) {
 					$displayActions[] = AbuseFilter::getActionDisplay( $action );
 				}
-				return htmlspecialchars( $lang->commaList( $displayActions ) );
+				return $lang->commaList( $displayActions );
 			case 'af_enabled':
 				$statuses = [];
 				if ( $row->af_deleted ) {
@@ -212,7 +212,7 @@ class AbuseFilterPager extends TablePager {
 			case 'af_hit_count':
 				if ( SpecialAbuseLog::canSeeDetails( $row->af_id, $row->af_hidden ) ) {
 					$count_display = $this->msg( 'abusefilter-hitcount' )
-						->numParams( $value )->parse();
+						->numParams( $value )->text();
 					$link = $this->linkRenderer->makeKnownLink(
 						SpecialPage::getTitleFor( 'AbuseLog' ),
 						$count_display,
@@ -235,12 +235,14 @@ class AbuseFilterPager extends TablePager {
 					);
 				$user = $row->af_user_text;
 				return $this->msg( 'abusefilter-edit-lastmod-text' )
-					->rawParams(
-						$lang->timeanddate( $value, true ),
-						$userLink,
+					->params(
+						$lang->timeanddate( $value, true )
+					)->rawParams(
+						$userLink
+					)->params(
 						$lang->date( $value, true ),
 						$lang->time( $value, true ),
-						$user
+						wfEscapeWikiText( $user )
 				)->parse();
 			case 'af_group':
 				return AbuseFilter::nameGroup( $value );

includes/pagers/GlobalAbuseFilterPager.php

@@ -37,7 +37,7 @@ class GlobalAbuseFilterPager extends AbuseFilterPager {
 				foreach ( $actions as $action ) {
 					$displayActions[] = AbuseFilter::getActionDisplay( $action );
 				}
-				return htmlspecialchars( $lang->commaList( $displayActions ) );
+				return $lang->commaList( $displayActions );
 			case 'af_enabled':
 				$statuses = [];
 				if ( $row->af_deleted ) {