Found with [[https://gerrit.wikimedia.org/r/c/mediawiki/core/+/902363 | r902363]] which annotates some methods as unsafe. There are some genuine vulnerabilities in BlockLogFormatter, specifically in the code for partial blocks:
```lang=php,name=BlockLogFormatter.php#110-135
$actions = $params[6]['actions'] ?? [];
$actions = array_map( function ( $actions ) {
return $this->msg( 'ipb-action-' . $actions )->text();
}, $actions );
$restrictions = [];
if ( $pages ) {
$restrictions[] = $this->msg( 'logentry-partialblock-block-page' )
->numParams( count( $pages ) )
->rawParams( $this->context->getLanguage()->listToText( $pages ) )->text();
}
if ( $namespaces ) {
$restrictions[] = $this->msg( 'logentry-partialblock-block-ns' )
->numParams( count( $namespaces ) )
->rawParams( $this->context->getLanguage()->listToText( $namespaces ) )->text();
}
$enablePartialActionBlocks = $this->context->getConfig()
->get( MainConfigNames::EnablePartialActionBlocks );
if ( $actions && $enablePartialActionBlocks ) {
$restrictions[] = $this->msg( 'logentry-partialblock-block-action' )
->numParams( count( $actions ) )
->rawParams( $this->context->getLanguage()->listToText( $actions ) )->text(); // <-- Unsafe use of rawParams because $actions is built with Message::text()
}
$params[6] = Message::rawParam( $this->context->getLanguage()->listToText( $restrictions ) );// <-- Unsafe use of rawParam because $restrictons is built with Message::text()
```