0001-SECURITY-Escape-card-title-and-description.patch
Lucas_Werkmeister_WMDE (Lucas Werkmeister (WMDE))
Actions

Authored By

	Lucas_Werkmeister_WMDE
	Jun 10 2025, 2:13 PM

Size

1 KB

Referenced Files

None

Subscribers

None

0001-SECURITY-Escape-card-title-and-description.patch
View Options

	From c841379bf8d062fa13118a3df4ff6acda9d9761f Mon Sep 17 00:00:00 2001
	From: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
	Date: Tue, 10 Jun 2025 16:11:24 +0200
	Subject: [PATCH] SECURITY: Escape card title and description

	mw.html is part of the mediawiki.base module, so no new ResourceLoader
	dependency should be necessary.

	Bug: T396413
	Change-Id: SECURITY-I18f98a31ba40ff244c6944e2f9e1c4bee1319abf
	---
	resources/ext.relatedArticles.readMore/RelatedArticles.js \| 4 ++--
	1 file changed, 2 insertions(+), 2 deletions(-)

	diff --git a/resources/ext.relatedArticles.readMore/RelatedArticles.js b/resources/ext.relatedArticles.readMore/RelatedArticles.js
	index 997fabd0fa..f48fd61d62 100644
	--- a/resources/ext.relatedArticles.readMore/RelatedArticles.js
	+++ b/resources/ext.relatedArticles.readMore/RelatedArticles.js
	@@ -26,8 +26,8 @@ const RelatedArticles = ( options ) => [
	</span>` }
	</span>
	<span class="cdx-card__text">
	- <span class="cdx-card__text__title">${ card.label }</span>
	- <span class="cdx-card__text__description">${ card.description }</span>
	+ <span class="cdx-card__text__title">${ mw.html.escape( card.label ) }</span>
	+ <span class="cdx-card__text__description">${ mw.html.escape( card.description ) }</span>
	</span>
	</a>
	</li>` ).join( '\n' ),
	--
	2.49.0

Mime Type: text/x-diff
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 20917996
Default Alt Text: 0001-SECURITY-Escape-card-title-and-description.patch (1 KB)