Page MenuHomePhabricator
Authored By
sbassett
Oct 2 2023, 9:03 PM
Size
810 B
Referenced Files
None
Subscribers
None

01-T347746.patch

From 01ddb73a2b207b062917d30dc3c7730a021b61d9 Mon Sep 17 00:00:00 2001
From: sbassett <sbassett@wikimedia.org>
Date: Mon, 2 Oct 2023 16:00:02 -0500
Subject: [PATCH] SECURITY: Escape parentheses message to avoid potential XSS
Bug: T347746
---
includes/GlobalBlocking.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/includes/GlobalBlocking.php b/includes/GlobalBlocking.php
index 7b3bdc9..4920558 100644
--- a/includes/GlobalBlocking.php
+++ b/includes/GlobalBlocking.php
@@ -720,7 +720,7 @@ class GlobalBlocking {
);
}
$linkItems = count( $links )
- ? $sp->msg( 'parentheses', $sp->getLanguage()->pipeList( $links ) )->text()
+ ? $sp->msg( 'parentheses', $sp->getLanguage()->pipeList( $links ) )->escaped()
: '';
return $linkItems;
}
--
2.39.2 (Apple Git-143)

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
11573460
Default Alt Text
01-T347746.patch (810 B)

Event Timeline