SECURITY: Escape submit button label for Codex-based HTMLForms

CVE-2025-61642

HTMLButtonField::buildCodexComponent() expects raw HTML for its button
label parameter, and this makes sense in the context of that class. But
it was also being used to build the submit button, where we were passing
in a plain text button label.

Escape the button label before passing it in, and more clearly document
that this parameter expects raw HTML.

Bug: T402313
Change-Id: I7fe42df7b9a3fd97eaf89515b7c1afb5ae3e688c

includes/htmlform/CodexHTMLForm.php

@@ -183,7 +183,7 @@ class CodexHTMLForm extends HTMLForm {
 
 			$button = HTMLButtonField::buildCodexComponent(
 				$submitFlags,
-				$submitButtonLabel,
+				htmlspecialchars( $submitButtonLabel ),
 				$buttonAttribs
 			);
 			$buttons[] = $button;

includes/htmlform/fields/HTMLButtonField.php

@@ -132,8 +132,6 @@ class HTMLButtonField extends HTMLFormField {
 			'formnovalidate' => $this->mFormnovalidate,
 		] + $this->getAttributes( [ 'disabled', 'tabindex' ] );
 
-		// T394396 - Needs revisiting. Merged with suppress to match sec release.
-		// @phan-suppress-next-line SecurityCheck-DoubleEscaped
 		return static::buildCodexComponent(
 			$flags,
 			$buttonLabel,
@@ -145,7 +143,8 @@ class HTMLButtonField extends HTMLFormField {
 	 * Build the markup of the Codex component
 	 *
 	 * @param array $flags The button's flag classes.
-	 * @param string $buttonLabel The button's label attribute.
+	 * @param string $buttonLabel The button's label (raw HTML)
+	 * @param-taint $buttonLabel exec_html
 	 * @param array $attribs The button's list of attributes.
 	 * @return string Raw HTML.
 	 */