Found by running git grep -F '.html(' wikibase/ and skimming through the results. This was the fifth one, out of 25 total. Stay tuned for how many more I find!

Edit: Only one more, T238824.

As far as I can tell, we only use .html instead of .text so that the   in the message will be correctly interpreted. There are some ways to decode HTML entities in JavaScript (e. g. here), most of the complete ones boiling down to some form of newElement.innerHtml = ...; return newElement.textContent, but those don’t feel that great to me. And since   is the only entity used in all the current translations, we may as well keep it simple:

diff --git a/wikibase/queryService/ui/ResultView.js b/wikibase/queryService/ui/ResultView.js
index 08da446..11f4472 100644
--- a/wikibase/queryService/ui/ResultView.js
+++ b/wikibase/queryService/ui/ResultView.js
@@ -364,12 +364,12 @@ wikibase.queryService.ui.ResultView = ( function( $, download, window ) {
 	SELF.prototype._handleQueryResult = function() {
 		var api = this._sparqlApi;
 
-		$( '#response-summary' ).html(
+		$( '#response-summary' ).text(
 			wikibase.queryService.ui.i18n.getMessage(
 				'wdqs-app-resultbrowser-response-summary',
 				'$1 results in $2 ms',
 				[ api.getResultLength(), api.getExecutionTime() ]
-			)
+			).replace( / /g, '\xA0' )
 		);
 		$( '.result' ).show();

Lets deploy the fix for this one alongside T238824
I'll use this ticket for communication and planning etc so we keep everything in one place.
I just pinged @Lucas_Werkmeister_WMDE to make a patch similar to the recent XSS issue so we can deploy to production and then go through the same sequence as last time for releasing code for everyone else.

Patch for /src/deployment/wdqs/wdqs/gui/ is at /home/lucaswerkmeister-wmde/T238822+T238824.patch on deployment.eqiad.wmnet.

The patch was generated by running grunt security, using the new Grunt task I’m adding in https://gerrit.wikimedia.org/r/552293.

The patch to wikidata/query/gui itself (before build) is at P9720 (the paste should be visible to all subscribers of this task, if I did the custom policy correctly).

@Lucas_Werkmeister_WMDE - not sure if you're aware, but there is a bit of automated mitigation running in CI to deal with these kinds of i18n scenarios, see:

1. jjb: https://integration.wikimedia.org/ci/job/mediawiki-i18n-check-docker/
2. examples: https://gerrit.wikimedia.org/r/q/owner:l10n-bot%2540translatewiki.net+html

Currently jenkins-bot will -1 any patch where mediawiki-i18n-check-docker fails, which triggers a manual review by some twn-affiliated developers. You can see the script (really just a grep) being run towards the end of the console output within some recent failed builds like this one. The script and this process aren't great, but we needed a stop-gap measure due to some attacks against twn over the last couple of years.

Ah, thanks, that’s good to know.

Just poked in wikimedia-discovery on IRC.
AFAIK this patch is now ready to be deployed whenever the search platform team is ready.
Once fixed in prod we will schedule the rebuild of released things again (probably for next week)

I have deployed Lucas's patch. Kindly test this to confirm everything is fine.

Both vulnerabilities seem to be fixed (T238824 can be tested directly, and I tested this task by running $.i18n.messageStore.messages.en['wdqs-app-resultbrowser-response-summary'] += '<script>alert("hi")</script>' in the browser console), thanks!

In T238822#5688390, @Mathew.onipe wrote:

I have deployed Lucas's patch. Kindly test this to confirm everything is fine.

In T238822#5689217, @Lucas_Werkmeister_WMDE wrote:

Both vulnerabilities seem to be fixed (T238824 can be tested directly, and I tested this task by running $.i18n.messageStore.messages.en['wdqs-app-resultbrowser-response-summary'] += '<script>alert("hi")</script>' in the browser console), thanks!

Great, thanks all. I suppose we'd want to engage in the usual process here (similar to T233213) i.e. 1) make tasks public (not seeing anything to prevent that at first glance) 2) request CVEs. I don't believe there are any additional supported release branches to backport for this?

In T238822#5691510, @sbassett wrote:

Great, thanks all. I suppose we'd want to engage in the usual process here (similar to T233213) i.e. 1) make tasks public (not seeing anything to prevent that at first glance) 2) request CVEs. I don't believe there are any additional supported release branches to backport for this?

We will do the same process as last time here which involves:

• Merging some things in gerrit repos
• Building a new zipped release of the WDQS (with bundleed UI)
• Triggering new wmde docker image builds
• Announcing & making the tasks public
• CVEs, (Still not done for the last ticket yet either, so we can do all 3 at once)

We hope to schedule a time to do all of this sometime in EU daytime this week when @Lea_Lacroix_WMDE is around.

@Lea_Lacroix_WMDE noticed that my fix for T238824 is partially broken:

Okay, I’ve updated P9720 and uploaded a new deployment patch at /home/lucaswerkmeister-wmde/T238822+T238824-2.patch on deployment.eqiad.wmnet. Note that this is a patch against the upstream deployment repo, so you’d need to first remove the previous patch (without syncing that change) to make it apply, I think.

In Gerrit:

• https://gerrit.wikimedia.org/r/#/c/553311/
• https://gerrit.wikimedia.org/r/#/c/wikidata/query/gui-deploy/+/553313/

Docker image rebuild https://travis-ci.org/wmde/wikibase-docker/builds/617703004

latest: digest: sha256:6570acb916b429f10ccb3bf3479b66aa6697b3fb3982166a09aba87eeaba7c90
legacy: digest: sha256:4503257bbe1744ce389f07f6dcbaf53db7569cc3e570e30dd5a85c8d0073a39d

CVE just requested via https://cveform.mitre.org/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19327