>>! In T115095#3004776, @Bawolff wrote:
> Review of 631882e3779 of Newsletter extension (Jan 29, 2017)
[x] "NewsletterTablePager.php" line 96 - Run htmlspecialchars after you truncate, not before. In this particular case, the worst that could happen would be for an entity reference to get cut off in the middle, but nonetheless escaping should always be the last thing you do.
[x] NewsletterDiffEngine - The messages for the h4 headers are not escaped.
[] "SpecialNewsletter.php" line 142 - newsletter-subtitlelinks-foo message is not escaped when it is the active link. **(PS under review)**
[] "NewsletterContent.php" line 253 - Double escaping in the OOUI button labels.
[] "SpecialNewsletter.php" line 207 - Double escaping newsletter-do-unsubscribe.
[] "NewsletterTablePager.php" line 33 - getFieldNames() has double escaping.