Like T361448 and T361449, just for a different skin and using a different source message.
Works for both the "main" (displayed) navigation menu entry as well as for submenu entries, e.g. this code in MediaWiki:Nimbus-sidebar results in two alerts being run:
* "><script>alert('XSS')</script> ** "><script>alert('even more XSS')</script>
Proposed & tested patch (it took me a while to understand this awful code again and figure out the best place for the escaping):
diff --git a/includes/NimbusTemplate.php b/includes/NimbusTemplate.php index 042f72e..6efab4b 100644 --- a/includes/NimbusTemplate.php +++ b/includes/NimbusTemplate.php @@ -429,7 +438,7 @@ class NimbusTemplate extends BaseTemplate { // Determine what to show as the human-readable link description if ( $this->skin->msg( $line )->isDisabled() ) { // It's *not* the name of a MediaWiki message, so display it as-is - $text = $line; + $text = htmlspecialchars( $line, ENT_QUOTES ); } else { // Guess what -- it /is/ a MediaWiki message! $text = $this->skin->msg( $line )->escaped(); @@ -437,7 +446,7 @@ class NimbusTemplate extends BaseTemplate { if ( $link != null ) { if ( $this->skin->msg( $line_temp[0] )->isDisabled() ) { - $link = $line_temp[0]; + $link = htmlspecialchars( $line_temp[0], ENT_QUOTES ); } if ( preg_match( '/^(?:' . wfUrlProtocols() . ')/', $link ) ) { $href = $link;
(Line numbers in the patch might be a bit off due to an unrelated chunk of unsubmitted code not being included here.)