Steps to reproduce:
- Add $wgUseXssLanguage = true; to your LocalSettings.php
- Load http://localhost:8080/wiki/Special:MassMessage?uselang=x-xss
Expected behaviour: No alert messages are shown
Observed behaviour: An alert with the text massmessage-form-page-help is shown
Extra information
It seems that the HTMLFormField help field wraps the content in a HtmlArmor even though the description in HtmlForm says:
'help' -- message text for a message to use as a help text.
Ideally, it should be clearer that HTML is not escaped via this HTMLFormField attribute.
To fix this issue, the code should be updated to use the help-message attribute.