The HTMLForm library doesn't escape the input of the help key by default. Is this intended behavior?
For example, the following form descriptor using an interface message through wfMessage()->text() is an XSS vector.
$formDescriptor= [ 'simpletextfield' => [ 'label' => 'Simple Text Field', 'class' => 'HTMLTextField', 'help' => wfMessage( 'myextension-mymessage' )->text(), // not escaped by HTMLForm, XSS! ] ]
We should rename the key to be help-raw, so users know it is a raw key. We should mark the old key name deprecated but keep it around for a transition period.
Afterwards we should adjust phan-taint-check to make sure it recognizes the new key name.
If you are fixing this, you probably need to edit (the comment in) includes/htmlform/HTMLForm.php and includes/htmlform/HTMLFormField.php as well as mentioning the deprecation in RELEASE-NOTES
- New help-raw param added, and old help param marked as deprecated.
- Migrate all Wikimedia production code to use help-raw instead of help.
- Make use of the help param cause a deprecation warning.
- Drop support for use of help (in MW 1.44 or later).