Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SECURITY: Escape system messages in mw.language.listToText

Browse source 
CVE-2025-11261

It should be possible to use the result of this method as HTML
without introducing i18n XSSs.
The PHP-equivalent Language::listToText also escapes the messages.

This fixes a stored i18n XSS in CheckUser.

Bug: T406322
Change-Id: Ieb809b043dec288e92356d8f6492d22340c8c3f6
(cherry picked from commit d951fa4ff07a96907b023e4f7e5dd7c630a78fc1)
This commit is contained in:
SomeRandomDeveloper 2025-10-03 14:14:44 +02:00 committed by Reedy
parent 4c4b22af95
commit 54c85c7713
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
resources/src/mediawiki.language/mediawiki.language.js
View file

@ -138,9 +138,9 @@
for ( let i = 0; i < list.length; i++ ) {
text += list[ i ];
if ( list.length - 2 === i ) {
text += mw.msg( 'and' ) + mw.msg( 'word-separator' );
text += mw.message( 'and' ).escaped() + mw.message( 'word-separator' ).escaped();
} else if ( list.length - 1 !== i ) {
text += mw.msg( 'comma-separator' );
text += mw.message( 'comma-separator' ).escaped();
}
}
return text;