SECURITY: Escape wikitext content model/format in message

Escape wikitext in model= and format= url parameter to
edit page. This goes along with 1c788944 to help prevent
XSS for wikis with $wgRawHtml = true; set.

Bug: T156184
Change-Id: Ifcaa2ccf05a2a691d0b150e2f7e0e765db25fc7f

diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29
index eece3de..2552b40 100644 (file)
--- a/RELEASE-NOTES-1.29
+++ b/RELEASE-NOTES-1.29
@@ -94,6 +94,7 @@ production.
   their values out of the logs.
 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
   token.
+* (T156184) SECURITY: Escape content model/format url parameter in message.
 
 === Action API changes in 1.29 ===
 * Submitting sensitive authentication request parameters to action=login,

diff --git a/includes/EditPage.php b/includes/EditPage.php
index e4d217c..2153b8c 100644 (file)
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -1027,7 +1027,7 @@ class EditPage {
                        throw new ErrorPageError(
                                'editpage-invalidcontentmodel-title',
                                'editpage-invalidcontentmodel-text',
-                               [ $this->contentModel ]
+                               [ wfEscapeWikiText( $this->contentModel ) ]
                        );
                }
 
@@ -1035,7 +1035,10 @@ class EditPage {
                        throw new ErrorPageError(
                                'editpage-notsupportedcontentformat-title',
                                'editpage-notsupportedcontentformat-text',
-                               [ $this->contentFormat, ContentHandler::getLocalizedName( $this->contentModel ) ]
+                               [
+                                       wfEscapeWikiText( $this->contentFormat ),
+                                       wfEscapeWikiText( ContentHandler::getLocalizedName( $this->contentModel ) )
+                               ]
                        );
                }