From e7849fc7f927a65177898710ac6ba1902636f902 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Wed, 21 Oct 2015 14:24:17 +0200
Subject: [PATCH] SECURITY: mediawiki.js: Escape HTML in mw.message( ...
 ).parse()

This basically makes it equivalent to .escaped() and not .text().

Does not affect the mediawiki.jqueryMsg version, which still accepts
whitelisted HTML tags.

Bug: T115888
Change-Id: I6513dfb480024309e1594abc6f07bbd3b0c5a10e
---
 resources/src/mediawiki.base/mediawiki.base.js |  7 ++++++-
 .../mediawiki/mediawiki.jqueryMsg.test.js      | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/resources/src/mediawiki.base/mediawiki.base.js b/resources/src/mediawiki.base/mediawiki.base.js
index 2a1edf558c..331ccff5ab 100644
--- a/resources/src/mediawiki.base/mediawiki.base.js
+++ b/resources/src/mediawiki.base/mediawiki.base.js
@@ -117,7 +117,12 @@
 			) {
 				text = '(' + this.key + '$*)';
 			}
-			return mw.format.apply( null, [ text ].concat( this.parameters ) );
+			text = mw.format.apply( null, [ text ].concat( this.parameters ) );
+			if ( this.format === 'parse' ) {
+				// We don't know how to parse anything, so escape it all
+				text = mw.html.escape( text );
+			}
+			return text;
 		},
 
 		/**
diff --git a/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js b/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
index e6b933d35b..eeebaae4e5 100644
--- a/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
+++ b/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
@@ -758,6 +758,24 @@
 		mw.jqueryMsg.getMessageFunction = oldGMF;
 	} );
 
+	// Tests that HTML in message parameters is escaped,
+	// whether the message looks like wikitext or not.
+	QUnit.test( 'mw.Message.prototype.parser monkey-patch HTML-escape', function ( assert ) {
+		mw.messages.set( '1x-wikitext', '<span>$1</span>' );
+		assert.htmlEqual(
+			mw.message( '1x-wikitext', '<script>alert( "1x-wikitext test" )</script>' ).parse(),
+			'<span>&lt;script&gt;alert( &quot;1x-wikitext test&quot; )&lt;/script&gt;</span>',
+			'Message parameters are escaped if message contains wikitext'
+		);
+
+		mw.messages.set( '1x-plain', '$1' );
+		assert.htmlEqual(
+			mw.message( '1x-plain', '<script>alert( "1x-plain test" )</script>' ).parse(),
+			'&lt;script&gt;alert( &quot;1x-plain test&quot; )&lt;/script&gt;',
+			'Message parameters are still escaped if message contains no wikitext'
+		);
+	} );
+
 	formatnumTests = [
 		{
 			lang: 'en',
-- 
2.25.1