Make Special:Version escape extension names that aren't links

This is to make phan-taint-check happy. Technically this is
a breaking change, but I am unaware of any extensions actually
having their names be arbitrary html, and support for this
is not documented anywhere.

Bug: T216348
Change-Id: I065d7e57f36e079e0b02180379e2df1f8535f3a8

diff --git a/RELEASE-NOTES-1.33 b/RELEASE-NOTES-1.33
index 9c5081c..419560d 100644 (file)
--- a/RELEASE-NOTES-1.33
+++ b/RELEASE-NOTES-1.33
@@ -436,6 +436,8 @@ because of Phabricator reports.
   insertions into links tables.
 * Category::newFromID( $id )->getID() will now return $id without any
   validation, to avoid a mostly unnecessary DB query.
+* On Special:Version, the name for an extension can no longer be arbitrary
+  html when no link is specified.
 
 == Compatibility ==
 MediaWiki 1.33 requires PHP 7.0.13 or later. Although HHVM 3.18.5 or later is

diff --git a/includes/specials/SpecialVersion.php b/includes/specials/SpecialVersion.php
index 2ad0def..391d9ab 100644 (file)
--- a/includes/specials/SpecialVersion.php
+++ b/includes/specials/SpecialVersion.php
@@ -703,7 +703,7 @@ class SpecialVersion extends SpecialPage {
                                [ 'class' => 'mw-version-ext-name' ]
                        );
                } else {
-                       $extensionNameLink = $extensionName;
+                       $extensionNameLink = htmlspecialchars( $extensionName );
                }
 
                // ... and the version information