From e80741975a155d22dba798500f7480c567b9a0e6 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Fri, 29 Sep 2023 09:29:25 -0700
Subject: [PATCH] SECURITY: Ensure group name is escaped in user rights log

This fixes issue where group-*-member messages are output with
incorrect escaping.

Bug: T347726
Change-Id: Ib9f77a7c0c90c3f12c4bc543f585afda80281356
---
 includes/logging/RightsLogFormatter.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/logging/RightsLogFormatter.php b/includes/logging/RightsLogFormatter.php
index 95f9a24fb96..45893dca4d9 100644
--- a/includes/logging/RightsLogFormatter.php
+++ b/includes/logging/RightsLogFormatter.php
@@ -146,7 +146,7 @@ class RightsLogFormatter extends LogFormatter {
                                        $expiryFormatted, $expiryFormattedD, $expiryFormattedT )->parse();
                        } else {
                                // the right does not expire; just insert the group name
-                               $permList[] = $group;
+                               $permList[] = htmlspecialchars( $group );
                        }
 
                        next( $groups );
-- 
2.30.2