From 2f251a772ae732353032bbd640da3dfae924b238 Mon Sep 17 00:00:00 2001
From: mainframe98 <k.s.werf@hotmail.com>
Date: Fri, 30 Apr 2021 20:26:15 +0200
Subject: [PATCH] SECURITY: Fix XSS vulnerability in EditPage and
 ProtectionForm

The documentation of OutputPage::wrapWikiMsg says it is
equivalent to OutputPage::addWikitextAsInterface called
with wfMessage()->plain(). This is correct, as it parses
it in addWikitextAsInterface. If used with addHtml, no
parsing/escaping is done automatically.

Follow-up to I83f2828bcde160c98a1d97e783a869e64fb4c6ea.

Bug: T281595
Change-Id: Ia6c7a7447e5cea903be9f5d9e76320ea56fedd4c
---
 includes/EditPage.php       | 2 +-
 includes/ProtectionForm.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/EditPage.php b/includes/EditPage.php
index f74f3ba61e..e1a7f18e79 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -2966,7 +2966,7 @@ class EditPage implements IEditObject {
 
 		if ( $this->wasDeletedSinceLastEdit() && $this->formtype !== 'save' ) {
 			$out->addHTML( Html::errorBox(
-				$out->msg( 'deletedwhileediting' )->plain(),
+				$out->msg( 'deletedwhileediting' )->parse(),
 				'',
 				'mw-deleted-while-editing'
 			) );
diff --git a/includes/ProtectionForm.php b/includes/ProtectionForm.php
index a0d09b41e3..af9edaf7f5 100644
--- a/includes/ProtectionForm.php
+++ b/includes/ProtectionForm.php
@@ -256,7 +256,7 @@ class ProtectionForm {
 		$out->addBacklinkSubtitle( $this->mTitle );
 
 		if ( is_array( $err ) ) {
-			$out->addHTML( Html::errorBox( $out->msg( ...$err )->plain() ) );
+			$out->addHTML( Html::errorBox( $out->msg( ...$err )->parse() ) );
 		} elseif ( is_string( $err ) ) {
 			$out->addHTML( Html::errorBox( $err ) );
 		}
-- 
2.31.1.windows.1