public static function makeLink( $title, $msg = null, $attrs = array(), $params = array() ) { if ( function_exists( 'MediaWiki\MediaWikiServices::getLinkRenderer' ) ) { // MW 1.28+ $linkRenderer = MediaWikiServices::getInstance()->getLinkRenderer(); return $linkRenderer->makeKnownLink( $title, $msg, $attrs, $params ); } else { return Linker::linkKnown( $title, $msg, $attrs, $params ); }
LinkRenderer will HTML escape $msg, but Linker will not. So on older MW versions this could potentially cause an XSS if developers assume that it will be escaped properly.
Probably the best fix would be to be consistent and not HTML escape in the LinkRenderer case by using HtmlArmor, and ensure that all callers do HTML escaping.
I noticed this while investigating a phan-taint-check-plugin error.