https://bugzilla.wikimedia.org/show_bug.cgi?id=67547
--- Comment #2 from Bawolff (Brian Wolff) <[email protected]> --- Hmm possibly we should do something like: diff --git a/includes/Message.php b/includes/Message.php index 826d55b..e340063 100644 --- a/includes/Message.php +++ b/includes/Message.php @@ -638,7 +638,7 @@ class Message { if ( $string === false ) { $key = htmlspecialchars( is_array( $this->key ) ? $this->key[0] : $this->key ); - if ( $this->format === 'plain' ) { + if ( $this->format === 'plain' || $this->format === 'text' ) { return '<' . $key . '>'; } return '<' . $key . '>'; OTOH, what if users incorrectly use ->text() somewhere they shouldn't? Current behaviour would be to output a message from MW namespace unescaped, which is bad, but not horrible since only admins can edit MW namespace. After this change, if user can control the name of the message, they could possibly have an XSS in that situation. [cc'ing Niklas in case he has any thoughts on that] ---- getDescription() should perhaps also do better when MW message is missing. Incoming patch for that part. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
