SECURITY: UserGroupMembership: Fix HTML escaping in #getLink

In some cases, the return value would be either non-escaped or
double-escaped.

Bug: T236509
Change-Id: If56a9df5f815a58a11741c5e020bb2d43a692563

diff --git a/includes/user/UserGroupMembership.php b/includes/user/UserGroupMembership.php
index 9da0370..908ab86 100644 (file)
--- a/includes/user/UserGroupMembership.php
+++ b/includes/user/UserGroupMembership.php
@@ -396,15 +396,19 @@ class UserGroupMembership {
 
                // link to the group description page, if it exists
                $linkTitle = self::getGroupPage( $group );
 
                // link to the group description page, if it exists
                $linkTitle = self::getGroupPage( $group );

-               if ( $linkTitle ) {
-                       if ( $format === 'wiki' ) {
+               if ( $format === 'wiki' ) {
+                       if ( $linkTitle ) {

                                $linkPage = $linkTitle->getFullText();
                                $groupLink = "[[$linkPage|$groupName]]";
                        } else {
                                $linkPage = $linkTitle->getFullText();
                                $groupLink = "[[$linkPage|$groupName]]";
                        } else {

-                               $groupLink = Linker::link( $linkTitle, htmlspecialchars( $groupName ) );
+                               $groupLink = $groupName;

                        }
                } else {
                        }
                } else {

-                       $groupLink = htmlspecialchars( $groupName );
+                       if ( $linkTitle ) {
+                               $groupLink = Linker::link( $linkTitle, htmlspecialchars( $groupName ) );
+                       } else {
+                               $groupLink = htmlspecialchars( $groupName );
+                       }

                }
 
                if ( $expiry ) {
                }
 
                if ( $expiry ) {


@@ -414,14 +418,18 @@ class UserGroupMembership {
                        $expiryDT = $uiLanguage->userTimeAndDate( $expiry, $uiUser );
                        $expiryD = $uiLanguage->userDate( $expiry, $uiUser );
                        $expiryT = $uiLanguage->userTime( $expiry, $uiUser );
                        $expiryDT = $uiLanguage->userTimeAndDate( $expiry, $uiUser );
                        $expiryD = $uiLanguage->userDate( $expiry, $uiUser );
                        $expiryT = $uiLanguage->userTime( $expiry, $uiUser );

-                       if ( $format === 'html' ) {
+
+                       if ( $format === 'wiki' ) {
+                               return $context->msg( 'group-membership-link-with-expiry' )
+                                       ->params( $groupLink, $expiryDT, $expiryD, $expiryT )->text();
+                       } else {

                                $groupLink = Message::rawParam( $groupLink );
                                $groupLink = Message::rawParam( $groupLink );

+                               return $context->msg( 'group-membership-link-with-expiry' )
+                                       ->params( $groupLink, $expiryDT, $expiryD, $expiryT )->escaped();

                        }
                        }

-                       return $context->msg( 'group-membership-link-with-expiry' )
-                               ->params( $groupLink, $expiryDT, $expiryD, $expiryT )->text();
-               } else {
-                       return $groupLink;

                }
                }

+
+               return $groupLink;

        }
 
        /**
        }
 
        /**