SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

CVE-2021-44855 Bug: T293589 Change-Id: I691b4065e67c53c4276599c8d16c31ab5591db3a
2024-11-15 18:39:52 +00:00 · 2021-11-16 12:17:18 -06:00 · 2021-11-16 12:17:18 -06:00 · 839b64d882
parent ff22ddd7a8
commit 839b64d882
1 changed files with 2 additions and 2 deletions
--- a/modules/ve-mw/ui/dialogs/ve.ui.MWMediaDialog.js
+++ b/modules/ve-mw/ui/dialogs/ve.ui.MWMediaDialog.js
@ -788,9 +788,9 @@ ve.ui.MWMediaDialog.prototype.cleanAPIresponse = function ( rawResponse, config
 	}

 	// Check if the string should be truncated
-	return isTruncated && !config.ignoreCharLimit ?
+	return mw.html.escape( isTruncated && !config.ignoreCharLimit ?
 		originalText.slice( 0, charLimit ) + ellipsis :
-		originalText;
+		originalText );
 };

 /**