From 87fac425111fe29d879e7fa3fe7759e45df183b4 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@member.fsf.org>
Date: Sun, 20 May 2018 13:41:33 -0700
Subject: [PATCH] Properly escape messages passed to HTMLForm

THe messages in 'options' need to be HTML escaped.

Spotted by the phan-taint-check plugin.

Change-Id: I1e207e5ca644551ae56cdd484f5f29267b6d764f
---
 includes/PopupsHooks.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/PopupsHooks.php b/includes/PopupsHooks.php
index 1694c72be..aa6c0a199 100644
--- a/includes/PopupsHooks.php
+++ b/includes/PopupsHooks.php
@@ -50,9 +50,9 @@ class PopupsHooks {
 			'label-message' => 'popups-prefs-optin-title',
 			'help-message' => 'popups-prefs-conflicting-gadgets-info',
 			'options' => [
-				wfMessage( 'popups-prefs-optin-enabled-label' )->text()
+				wfMessage( 'popups-prefs-optin-enabled-label' )->escaped()
 				=> PopupsContext::PREVIEWS_ENABLED,
-				wfMessage( 'popups-prefs-optin-disabled-label' )->text()
+				wfMessage( 'popups-prefs-optin-disabled-label' )->escaped()
 				=> PopupsContext::PREVIEWS_DISABLED
 			],
 			'section' => self::PREVIEWS_PREFERENCES_SECTION