From 9f0822192576c417b49f46ebffbe0cbc1a3f2169 Mon Sep 17 00:00:00 2001
From: Martin Urbanec <martin.urbanec@wikimedia.cz>
Date: Tue, 17 Aug 2021 17:04:47 +0200
Subject: [PATCH] SECURITY: Fix XSS vulnerability in mentor dashboard

Html::rawElement cannot be used together with the "text"
mode of messages API; that results in unsafe HTML.

Bug: T289063
Change-Id: I2bd8e98e3b31dce0d2b49707e6e38bd342949314
---
 includes/MentorDashboard/Modules/MenteeOverview.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/MentorDashboard/Modules/MenteeOverview.php b/includes/MentorDashboard/Modules/MenteeOverview.php
index 0f8e14aa..60f15b5f 100644
--- a/includes/MentorDashboard/Modules/MenteeOverview.php
+++ b/includes/MentorDashboard/Modules/MenteeOverview.php
@@ -30,7 +30,7 @@ class MenteeOverview extends BaseModule {
 	 * @inheritDoc
 	 */
 	protected function getBody() {
-		return Html::rawElement(
+		return Html::element(
 			'div',
 			[
 				'class' => 'growthexperiments-mentor-dashboard-module-mentee-overview-content'
-- 
2.20.1