From 91e63a1332fb589f8f3cc47b4466f24943aa8bd4 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Mon, 2 Mar 2020 17:08:15 +0100
Subject: [PATCH] SECURITY: jquery.makeCollapsible: Escape user-generated CSS
 selectors

Bug: T246602
Change-Id: Iea64a258499ab597b9a8900418a42162fdb5f391
---
 resources/src/jquery/jquery.makeCollapsible.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/resources/src/jquery/jquery.makeCollapsible.js b/resources/src/jquery/jquery.makeCollapsible.js
index 1f40e0a2b7..a433497506 100644
--- a/resources/src/jquery/jquery.makeCollapsible.js
+++ b/resources/src/jquery/jquery.makeCollapsible.js
@@ -279,6 +279,7 @@
 			} else {
 				collapsibleId = $collapsible.attr( 'id' ) || '';
 				if ( collapsibleId.indexOf( 'mw-customcollapsible-' ) === 0 ) {
+					collapsibleId = $.escapeSelector( collapsibleId );
 					$customTogglers = $( '.' + collapsibleId.replace( 'mw-customcollapsible', 'mw-customtoggle' ) )
 						.addClass( 'mw-customtoggle' );
 				}
-- 
2.20.1