From: Bartosz Dziewoński <matma.rex@gmail.com>
Date: Mon, 23 Mar 2020 21:01:30 +0000 (+0100)
Subject: SECURITY: UserGroupMembership: Fix HTML escaping in #getLink
X-Git-Tag: 1.31.7~2
X-Git-Url: http://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=86a727b908e7c729d0ccfc67ff6c2cf27ff28928;ds=sidebyside

SECURITY: UserGroupMembership: Fix HTML escaping in #getLink

In some cases, the return value would be either non-escaped or
double-escaped.

Bug: T236509
Change-Id: If56a9df5f815a58a11741c5e020bb2d43a692563
---

diff --git a/includes/user/UserGroupMembership.php b/includes/user/UserGroupMembership.php
index 9da0370e20..908ab86e4b 100644
--- a/includes/user/UserGroupMembership.php
+++ b/includes/user/UserGroupMembership.php
@@ -396,15 +396,19 @@ class UserGroupMembership {
 
 		// link to the group description page, if it exists
 		$linkTitle = self::getGroupPage( $group );
-		if ( $linkTitle ) {
-			if ( $format === 'wiki' ) {
+		if ( $format === 'wiki' ) {
+			if ( $linkTitle ) {
 				$linkPage = $linkTitle->getFullText();
 				$groupLink = "[[$linkPage|$groupName]]";
 			} else {
-				$groupLink = Linker::link( $linkTitle, htmlspecialchars( $groupName ) );
+				$groupLink = $groupName;
 			}
 		} else {
-			$groupLink = htmlspecialchars( $groupName );
+			if ( $linkTitle ) {
+				$groupLink = Linker::link( $linkTitle, htmlspecialchars( $groupName ) );
+			} else {
+				$groupLink = htmlspecialchars( $groupName );
+			}
 		}
 
 		if ( $expiry ) {
@@ -414,14 +418,18 @@ class UserGroupMembership {
 			$expiryDT = $uiLanguage->userTimeAndDate( $expiry, $uiUser );
 			$expiryD = $uiLanguage->userDate( $expiry, $uiUser );
 			$expiryT = $uiLanguage->userTime( $expiry, $uiUser );
-			if ( $format === 'html' ) {
+
+			if ( $format === 'wiki' ) {
+				return $context->msg( 'group-membership-link-with-expiry' )
+					->params( $groupLink, $expiryDT, $expiryD, $expiryT )->text();
+			} else {
 				$groupLink = Message::rawParam( $groupLink );
+				return $context->msg( 'group-membership-link-with-expiry' )
+					->params( $groupLink, $expiryDT, $expiryD, $expiryT )->escaped();
 			}
-			return $context->msg( 'group-membership-link-with-expiry' )
-				->params( $groupLink, $expiryDT, $expiryD, $expiryT )->text();
-		} else {
-			return $groupLink;
 		}
+
+		return $groupLink;
 	}
 
 	/**