From bb411f8ce649017648959ae244e79a7465e9474f Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Mon, 23 Mar 2020 22:01:30 +0100
Subject: [PATCH] SECURITY: UserGroupMembership: Fix HTML escaping in #getLink

In some cases, the return value would be either non-escaped or
double-escaped.

Bug: T236509

Change-Id: If56a9df5f815a58a11741c5e020bb2d43a692563
(cherry picked from commit a0d7e49f0941a5f7a7e9cbb396540572317f9ae6)
---
 includes/user/UserGroupMembership.php | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/includes/user/UserGroupMembership.php b/includes/user/UserGroupMembership.php
index 2261fcb142..69999375df 100644
--- a/includes/user/UserGroupMembership.php
+++ b/includes/user/UserGroupMembership.php
@@ -398,15 +398,19 @@ class UserGroupMembership {
 		// link to the group description page, if it exists
 		$linkTitle = self::getGroupPage( $group );
 		$linkRenderer = MediaWikiServices::getInstance()->getLinkRenderer();
-		if ( $linkTitle ) {
-			if ( $format === 'wiki' ) {
+		if ( $format === 'wiki' ) {
+			if ( $linkTitle ) {
 				$linkPage = $linkTitle->getFullText();
 				$groupLink = "[[$linkPage|$groupName]]";
 			} else {
-				$groupLink = $linkRenderer->makeLink( $linkTitle, $groupName );
+				$groupLink = $groupName;
 			}
 		} else {
-			$groupLink = htmlspecialchars( $groupName );
+			if ( $linkTitle ) {
+				$groupLink = $linkRenderer->makeLink( $linkTitle, $groupName );
+			} else {
+				$groupLink = htmlspecialchars( $groupName );
+			}
 		}
 
 		if ( $expiry ) {
@@ -416,11 +420,15 @@ class UserGroupMembership {
 			$expiryDT = $uiLanguage->userTimeAndDate( $expiry, $uiUser );
 			$expiryD = $uiLanguage->userDate( $expiry, $uiUser );
 			$expiryT = $uiLanguage->userTime( $expiry, $uiUser );
-			if ( $format === 'html' ) {
+
+			if ( $format === 'wiki' ) {
+				return $context->msg( 'group-membership-link-with-expiry' )
+					->params( $groupLink, $expiryDT, $expiryD, $expiryT )->text();
+			} else {
 				$groupLink = Message::rawParam( $groupLink );
+				return $context->msg( 'group-membership-link-with-expiry' )
+					->params( $groupLink, $expiryDT, $expiryD, $expiryT )->escaped();
 			}
-			return $context->msg( 'group-membership-link-with-expiry' )
-				->params( $groupLink, $expiryDT, $expiryD, $expiryT )->text();
 		}
 		return $groupLink;
 	}
-- 
2.20.1