From 088c70d65c5c73e20d475829cf871af2d0809169 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Bartosz=20Dziewo=C5=84ski?= <dziewonski@fastmail.fm>
Date: Sun, 15 Feb 2026 01:47:56 +0100
Subject: [PATCH] SECURITY: Validate link target for protection indicators help
 page

Bug: T416090
Change-Id: I5fa630ca3d00e3bc98b732320ab9ffc8ff95491c
---
 includes/page/Article.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/includes/page/Article.php b/includes/page/Article.php
index fb3a6377791..d57fe971ae7 100644
--- a/includes/page/Article.php
+++ b/includes/page/Article.php
@@ -54,6 +54,7 @@ use MediaWiki\Revision\BadRevisionException;
 use MediaWiki\Revision\RevisionRecord;
 use MediaWiki\Revision\RevisionStore;
 use MediaWiki\Revision\SlotRecord;
+use MediaWiki\Skin\Skin;
 use MediaWiki\Status\Status;
 use MediaWiki\Title\Title;
 use MediaWiki\User\Options\UserOptionsLookup;
@@ -663,7 +664,7 @@ class Article implements Page {
 		if ( $protectionHelpLink->isDisabled() ) {
 			$protectionHelpLink = 'https://mediawiki.org/wiki/Special:MyLanguage/Help:Protection';
 		} else {
-			$protectionHelpLink = $protectionHelpLink->text();
+			$protectionHelpLink = Skin::makeInternalOrExternalUrl( $protectionHelpLink->text() );
 		}
 
 		$outputPage->setIndicators( [
-- 
2.45.1.windows.1