Page MenuHomePhabricator
Files F70079448

01-T409737.patch
SomeRandomDeveloper
Actions

Authored By
SomeRandomDeveloper
Nov 10 2025, 3:01 PM
Size
928 B
Referenced Files
None
Subscribers
None

01-T409737.patch
View Options

From c6efb53f9c0894595a4625288e4e4bb212bf0a77 Mon Sep 17 00:00:00 2001
From: SomeRandomDeveloper <thisisnotmyname275@gmail.com>
Date: Mon, 10 Nov 2025 15:57:31 +0100
Subject: [PATCH] SECURITY: Escape system messages in autocomments
Bug: T409737
Change-Id: I8505700afda8096ef4e183280494232152767004
---
lib/includes/Formatters/AutoCommentFormatter.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/includes/Formatters/AutoCommentFormatter.php b/lib/includes/Formatters/AutoCommentFormatter.php
index a251abd8fe..408cc6e0f4 100644
--- a/lib/includes/Formatters/AutoCommentFormatter.php
+++ b/lib/includes/Formatters/AutoCommentFormatter.php
@@ -117,7 +117,7 @@ class AutoCommentFormatter {
return wfEscapeWikiText( $arg );
}, $args );
// render the autocomment
- $auto = $msg->params( $args )->parse();
+ $auto = $msg->params( $args )->escaped();
return $icon . $auto;
}
--
2.51.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
22265558
Default Alt Text
01-T409737.patch (928 B)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits