In my defense, it wasn't documented anywhere that it isn't safe to output.
I added docs in If56df0a7.
Change-Id: I6df92c628e46666efab3012073bf06673f844a0b
$headingMsg = wfMessage( $heading );
$any_link = false;
- $t = $this->menuHead( $headingMsg->exists() ? $headingMsg->text() : $heading );
+ $t = $this->menuHead( $headingMsg->exists() ? $headingMsg->text() : htmlspecialchars( $heading ) );
foreach ( $links as $key => $link ) {
// Can be empty due to rampant sidebar massaging we're doing above