From 61d9bb77b5976816be816b6c2c023acf5168dcb5 Mon Sep 17 00:00:00 2001
From: sbassett <sbassett@wikimedia.org>
Date: Tue, 16 Nov 2021 12:17:18 -0600
Subject: [PATCH] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image
 metadata fields

CVE-2021-44855

Bug: T293589
Change-Id: I691b4065e67c53c4276599c8d16c31ab5591db3a
---
 modules/ve-mw/ui/dialogs/ve.ui.MWMediaDialog.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/ve-mw/ui/dialogs/ve.ui.MWMediaDialog.js b/modules/ve-mw/ui/dialogs/ve.ui.MWMediaDialog.js
index 2b50b387c7..fa21fb973b 100644
--- a/modules/ve-mw/ui/dialogs/ve.ui.MWMediaDialog.js
+++ b/modules/ve-mw/ui/dialogs/ve.ui.MWMediaDialog.js
@@ -780,9 +780,9 @@ ve.ui.MWMediaDialog.prototype.cleanAPIresponse = function ( rawResponse, config
 	}
 
 	// Check if the string should be truncated
-	return isTruncated && !config.ignoreCharLimit ?
-		originalText.substring( 0, charLimit ) + ellipsis :
-		originalText;
+	return mw.html.escape( isTruncated && !config.ignoreCharLimit ?
+		originalText.slice( 0, charLimit ) + ellipsis :
+		originalText );
 };
 
 /**