Roan Kattouw 71ebf1a1cf SECURITY: Escape submit button label for Codex-based HTMLForms ... CVE-2025-61642 HTMLButtonField::buildCodexComponent() expects raw HTML for its button label parameter, and this makes sense in the context of that class. But it was also being used to build the submit button, where we were passing in a plain text button label. Escape the button label before passing it in, and more clearly document that this parameter expects raw HTML. Bug: T402313 Change-Id: I7fe42df7b9a3fd97eaf89515b7c1afb5ae3e688c		2025-10-02 19:36:28 +00:00
..
fields	SECURITY: Escape submit button label for Codex-based HTMLForms	2025-10-02 19:36:28 +00:00
CodexHTMLForm.php	SECURITY: Escape submit button label for Codex-based HTMLForms	2025-10-02 19:36:28 +00:00
CollapsibleFieldsetLayout.php	Standardise all our class alias deprecation comments for ease of grepping	2024-03-19 20:11:29 +00:00
HTMLForm.php	htmlform: Allow MessageParam on HTMLForm::addButton for label-message	2024-10-26 23:12:51 +00:00
HTMLFormActionFieldLayout.php	Standardise all our class alias deprecation comments for ease of grepping	2024-03-19 20:11:29 +00:00
HTMLFormElement.php	htmlform: Add missing documentation to class properties	2024-09-14 11:49:05 +00:00
HTMLFormField.php	htmlform: Add missing documentation to class properties	2024-09-14 11:49:05 +00:00
HTMLFormFieldLayout.php	Standardise all our class alias deprecation comments for ease of grepping	2024-03-19 20:11:29 +00:00
HTMLFormFieldRequiredOptionsException.php	Standardise all our class alias deprecation comments for ease of grepping	2024-03-19 20:11:29 +00:00
HTMLNestedFilterable.php	Standardise all our class alias deprecation comments for ease of grepping	2024-03-19 20:11:29 +00:00
OOUIHTMLForm.php	Use explicit nullable type on parameter arguments	2024-10-16 20:58:33 +02:00
VFormHTMLForm.php	Use explicit nullable type on parameter arguments	2024-10-16 20:58:33 +02:00