From 1aba1d864c135740c2c37c7af30e2117be072769 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Sun, 17 Feb 2019 11:09:45 +0000
Subject: [PATCH] Make Special:Version escape extension names that aren't links

This is to make phan-taint-check happy. Technically this is
a breaking change, but I am unaware of any extensions actually
having their names be arbitrary html, and support for this
is not documented anywhere.

Bug: T216348
Change-Id: I065d7e57f36e079e0b02180379e2df1f8535f3a8
---
 RELEASE-NOTES-1.33                   | 2 ++
 includes/specials/SpecialVersion.php | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/RELEASE-NOTES-1.33 b/RELEASE-NOTES-1.33
index 9c5081cd77..419560d050 100644
--- a/RELEASE-NOTES-1.33
+++ b/RELEASE-NOTES-1.33
@@ -436,6 +436,8 @@ because of Phabricator reports.
   insertions into links tables.
 * Category::newFromID( $id )->getID() will now return $id without any
   validation, to avoid a mostly unnecessary DB query.
+* On Special:Version, the name for an extension can no longer be arbitrary
+  html when no link is specified.
 
 == Compatibility ==
 MediaWiki 1.33 requires PHP 7.0.13 or later. Although HHVM 3.18.5 or later is
diff --git a/includes/specials/SpecialVersion.php b/includes/specials/SpecialVersion.php
index 2ad0deff01..391d9abfd8 100644
--- a/includes/specials/SpecialVersion.php
+++ b/includes/specials/SpecialVersion.php
@@ -703,7 +703,7 @@ class SpecialVersion extends SpecialPage {
 				[ 'class' => 'mw-version-ext-name' ]
 			);
 		} else {
-			$extensionNameLink = $extensionName;
+			$extensionNameLink = htmlspecialchars( $extensionName );
 		}
 
 		// ... and the version information
-- 
2.20.1