From 994f95f75787356ef827a395152fc97cb890fc18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <dziewonski@fastmail.fm>
Date: Mon, 2 Jun 2025 21:12:34 +0200
Subject: [PATCH] Treat File::getShortDesc() as possibly unsafe HTML

File::getShortDesc() is documented to return HTML, but some handlers
return unescaped plain text.

Bug: T395834
Change-Id: I150f0215339b4ac18254fce2be138b1cde2277d5
(cherry picked from commit b2a9cc1564397e27fd80e44e99e1905fcbd10684)
---
 includes/search/searchwidgets/FullSearchResultWidget.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/includes/search/searchwidgets/FullSearchResultWidget.php b/includes/search/searchwidgets/FullSearchResultWidget.php
index 3b805118619..f8ebf2b455a 100644
--- a/includes/search/searchwidgets/FullSearchResultWidget.php
+++ b/includes/search/searchwidgets/FullSearchResultWidget.php
@@ -11,6 +11,7 @@ use MediaWiki\HookContainer\HookRunner;
 use MediaWiki\Html\Html;
 use MediaWiki\Linker\LinkRenderer;
 use MediaWiki\MainConfigNames;
+use MediaWiki\Parser\Sanitizer;
 use MediaWiki\Search\Entity\SearchResultThumbnail;
 use MediaWiki\Search\SearchResultThumbnailProvider;
 use MediaWiki\Specials\SpecialSearch;
@@ -317,9 +318,14 @@ class FullSearchResultWidget implements SearchResultWidget {
 			return [ $html, null, $this->generateThumbnailHtml( $result ) ];
 		}
 
+		// File::getShortDesc() is documented to return HTML, but many handlers used to incorrectly
+		// return plain text (T395834), so sanitize it in case the same bug is present in extensions.
+		$unsafeShortDesc = $img->getShortDesc();
+		$shortDesc = Sanitizer::removeSomeTags( $unsafeShortDesc );
+
 		return [
 			$html,
-			$this->specialPage->msg( 'parentheses' )->rawParams( $img->getShortDesc() )->escaped(),
+			$this->specialPage->msg( 'parentheses' )->rawParams( $shortDesc )->escaped(),
 			$this->generateThumbnailHtml( $result, $thumbnail )
 		];
 	}