T411144-2.patch
SomeRandomDeveloper
Actions

Authored By

	SomeRandomDeveloper
	Nov 26 2025, 9:53 PM

Size

1 KB

Referenced Files

None

Subscribers

None

T411144-2.patch
View Options

	From 57b005263dc894c7f90b31c83f23b51fe11e3a90 Mon Sep 17 00:00:00 2001
	From: SomeRandomDeveloper <thisisnotmyname275@gmail.com>
	Date: Wed, 26 Nov 2025 22:49:32 +0100
	Subject: [PATCH] SECURITY: Escape system messages used in edit summaries

	Bug: T411144
	Change-Id: Iff01940a163ed87ec52f3a64ba6b2dbfa2759df3
	---
	includes/HomepageHooks.php \| 2 +-
	includes/Mentorship/Hooks/MentorHooks.php \| 4 ++--
	2 files changed, 3 insertions(+), 3 deletions(-)

	diff --git a/includes/HomepageHooks.php b/includes/HomepageHooks.php
	index 56177da..d724829 100644
	--- a/includes/HomepageHooks.php
	+++ b/includes/HomepageHooks.php
	@@ -1257,7 +1257,7 @@ class HomepageHooks implements
	$messageParamsStr = $messageParts[ 1 ] ?? '';
	$comment = wfMessage( $messageKey )
	->numParams( ...explode( '\|', $messageParamsStr ) )
	- ->parse();
	+ ->escaped();
	}
	}

	diff --git a/includes/Mentorship/Hooks/MentorHooks.php b/includes/Mentorship/Hooks/MentorHooks.php
	index 988c723..ce7aeca 100644
	--- a/includes/Mentorship/Hooks/MentorHooks.php
	+++ b/includes/Mentorship/Hooks/MentorHooks.php
	@@ -253,7 +253,7 @@ class MentorHooks implements
	'growthexperiments-mentorship-enrollasmentor-summary',
	];
	if ( in_array( $auto, $noParamMessageKeys ) ) {
	- $comment = wfMessage( $auto )->text();
	+ $comment = wfMessage( $auto )->escaped();
	}

	$mentorChangeMessageKeys = [
	@@ -277,7 +277,7 @@ class MentorHooks implements
	$comment = wfMessage( $messageKey )
	->params( ...explode( '\|', $messageParts[1] ) )
	->inContentLanguage()
	- ->parse();
	+ ->escaped();
	}
	}

	--
	2.51.1