commit 904948fb2d2fa445eeb02bfed519c8610bb33603
Author: Brad Jorsch <bjorsch@wikimedia.org>
Date:   Wed Mar 13 16:44:58 2013 -0400

    Sanitize $limitReport before outputting
    
    Prevents possible injection of "-->" and other HTML by extensions using
    the ParserLimitReport hook.
    
    Change-Id: I8d50e597be4d8247c441197ff403c3c2e86720e0

diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index 7f21449..59a2929 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -501,6 +501,11 @@ class Parser {
 				"Highest expansion depth: {$this->mHighestExpansionDepth}/{$this->mOptions->getMaxPPExpandDepth()}\n" .
 				$PFreport;
 			wfRunHooks( 'ParserLimitReport', array( $this, &$limitReport ) );
+
+			// Sanitize for comment. Note '‐' in the replacement is U+2010,
+			// which looks much like the problematic '-'.
+			$limitReport = str_replace( array( '-', '&' ), array( '‐', '&amp;' ), $limitReport );
+
 			$text .= "\n<!-- \n$limitReport-->\n";
 
 			if ( $this->mGeneratedPPNodeCount > $this->mOptions->getMaxGeneratedPPNodeCount() / 10 ) {