SECURITY: Escape usernames in HTMLUserTextField validation errors

CVE-2025-6590

The HTMLUserTextField is accessible to logged-out users on private wikis
through Special:PasswordReset. Validation error messages returned by this
field included unescaped usernames parsed as wikitext. This allowed
logged-out attackers arbitrary access to the parser, enabling them to
reveal page contents through transclusion, e.g., "{{:Private page}}".

Escape the username parameter using wfEscapeWikiText() to prevent
wikitext interpretation in error messages.

Bug: T392746
Change-Id: Ifd8283e107e1655fa3f5694183c4f67954e5c4c5

includes/htmlform/fields/HTMLUserTextField.php

@@ -67,14 +67,14 @@ class HTMLUserTextField extends HTMLTextField {
 				// Treat hidden users as unregistered if current user can't view them (T309894)
 				!( $user->isHidden() && !( $this->mParent && $this->mParent->getUser()->isAllowed( 'hideuser' ) ) )
 			) ) {
-				return $this->msg( 'htmlform-user-not-exists', $user->getName() );
+				return $this->msg( 'htmlform-user-not-exists', wfEscapeWikiText( $user->getName() ) );
 			}
 
 			// check if the user account type matches the account type filter
 			$excludeNamed = $this->mParams['excludenamed'] ?? null;
 			$excludeTemp = $this->mParams['excludetemp'] ?? null;
 			if ( ( $excludeTemp && $user->isTemp() ) || ( $excludeNamed && $user->isNamed() ) ) {
-				return $this->msg( 'htmlform-user-not-valid', $user->getName() );
+				return $this->msg( 'htmlform-user-not-valid', wfEscapeWikiText( $user->getName() ) );
 			}
 		} else {
 			// not a valid username
@@ -102,7 +102,7 @@ class HTMLUserTextField extends HTMLTextField {
 				}
 			}
 			if ( !$valid ) {
-				return $this->msg( 'htmlform-user-not-valid', $value );
+				return $this->msg( 'htmlform-user-not-valid', wfEscapeWikiText( $value ) );
 			}
 		}