Dylan F b2310f4736 SECURITY: Escape usernames in HTMLUserTextField validation errors ... CVE-2025-6590 The HTMLUserTextField is accessible to logged-out users on private wikis through Special:PasswordReset. Validation error messages returned by this field included unescaped usernames parsed as wikitext. This allowed logged-out attackers arbitrary access to the parser, enabling them to reveal page contents through transclusion, e.g., "{{:Private page}}". Escape the username parameter using wfEscapeWikiText() to prevent wikitext interpretation in error messages. Bug: T392746 Change-Id: Ifd8283e107e1655fa3f5694183c4f67954e5c4c5		2025-06-30 20:57:16 +01:00
..
fields	SECURITY: Escape usernames in HTMLUserTextField validation errors	2025-06-30 20:57:16 +01:00
CodexHTMLForm.php	Use explicit nullable type on parameter arguments	2024-10-16 20:58:33 +02:00
CollapsibleFieldsetLayout.php	Standardise all our class alias deprecation comments for ease of grepping	2024-03-19 20:11:29 +00:00
HTMLForm.php	htmlform: Allow MessageParam on HTMLForm::addButton for label-message	2024-10-26 23:12:51 +00:00
HTMLFormActionFieldLayout.php	Standardise all our class alias deprecation comments for ease of grepping	2024-03-19 20:11:29 +00:00
HTMLFormElement.php	htmlform: Add missing documentation to class properties	2024-09-14 11:49:05 +00:00
HTMLFormField.php	htmlform: Add missing documentation to class properties	2024-09-14 11:49:05 +00:00
HTMLFormFieldLayout.php	Standardise all our class alias deprecation comments for ease of grepping	2024-03-19 20:11:29 +00:00
HTMLFormFieldRequiredOptionsException.php	Standardise all our class alias deprecation comments for ease of grepping	2024-03-19 20:11:29 +00:00
HTMLNestedFilterable.php	Standardise all our class alias deprecation comments for ease of grepping	2024-03-19 20:11:29 +00:00
OOUIHTMLForm.php	Use explicit nullable type on parameter arguments	2024-10-16 20:58:33 +02:00
VFormHTMLForm.php	Use explicit nullable type on parameter arguments	2024-10-16 20:58:33 +02:00