SECURITY: Avoid double-escaping html tag contents

* Avoid double-escaping the captcha-edit-fail message via both Html::element and RawMessage. * Also add suppress comment due to overall taint of RawMessage. Bug: T293818 Change-Id: I6b985266a26f6b152bca05a91f6054ed1a5f2a5a
2024-11-24 00:04:15 +00:00 · 2021-10-25 10:19:07 -05:00 · 2021-10-25 10:19:07 -05:00 · 1493c928c2
parent d0995dcef7
commit 1493c928c2
1 changed files with 3 additions and 1 deletions
--- a/SimpleCaptcha/SimpleCaptcha.php
+++ b/SimpleCaptcha/SimpleCaptcha.php
@ -876,8 +876,10 @@ class SimpleCaptcha {
 			// for the user, which we don't know, when he did it.
 			if ( $this->action === 'edit' ) {
 				$status->fatal(
+					// T293818 - only worried about $content here
+					// @phan-suppress-next-line SecurityCheck-DoubleEscaped
 					new RawMessage(
-						Html::element(
+						Html::rawElement(
 							'div',
 							[ 'class' => 'errorbox' ],
 							$context->msg( 'captcha-edit-fail' )->text()