pagesize message is raw HTML. Check if other ones are too
Description
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T2212 Some MediaWiki: messages not safe in HTML (tracking) | |||
Invalid | None | T136700 Raw HTML in Special:ProtectedPages |
Event Timeline
Comment Actions
I only found one usage of pagesize:
Xml::label( $this->msg( 'pagesize' )->text(), 'wpsize' )
https://github.com/wikimedia/mediawiki/blob/master/includes/specials/SpecialProtectedpages.php#L205
And as far as I can see, Xml::label escapes the contents of $label with htmlspecialchars() :/ Are there any other usages or things I don't see?