From 11a8c628c2437502e4c0c6d74033b345277e2596 Mon Sep 17 00:00:00 2001
From: Alexander Vorwerk <alexander.vorwerk@stud.uni-goettingen.de>
Date: Fri, 24 Sep 2021 16:52:47 +0200
Subject: [PATCH] SECURITY: Pass escaped HTML to the 'setchange' log

Bug: T291696
Change-Id: I7aeaa6e4de5ccaa5eeb6bf4fb00c96b01d5fea35
---
 includes/CentralAuthHooks.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/CentralAuthHooks.php b/includes/CentralAuthHooks.php
index d8a88818..c7c5a291 100644
--- a/includes/CentralAuthHooks.php
+++ b/includes/CentralAuthHooks.php
@@ -202,8 +202,8 @@ class CentralAuthHooks implements
 				break;
 			case 'setchange':
 				$args = [
-					$params[1] ?: wfMessage( 'rightsnone' )->text(),
-					$params[2] ?: wfMessage( 'rightsnone' )->text()
+					$params[1] ?: wfMessage( 'rightsnone' )->escaped(),
+					$params[2] ?: wfMessage( 'rightsnone' )->escaped()
 				];
 				break;
 			default: // 'deleteset'
-- 
2.17.1